From: Jaroslav Kysela <perex@perex.cz>
Date: Thu, 24 Mar 2016 08:03:27 +0000 (+0100)
Subject: http client: fix possible out-of-range data access, fixes #3611
X-Git-Tag: v4.2.1~821
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41707e1d9de65a6e2d8634e2647dab978a774801;p=thirdparty%2Ftvheadend.git

http client: fix possible out-of-range data access, fixes #3611
---

diff --git a/src/httpc.c b/src/httpc.c
index 701a64855..da91f9a45 100644
--- a/src/httpc.c
+++ b/src/httpc.c
@@ -901,7 +901,7 @@ static int
 http_client_run0( http_client_t *hc )
 {
   char *buf, *saveptr, *argv[3], *d, *p;
-  int ver, res, delimsize = 4;
+  int ver, res, delimsize;
   ssize_t r;
   size_t len;
 
@@ -929,10 +929,13 @@ http_client_run0( http_client_t *hc )
 
   buf = alloca(hc->hc_io_size);
   if (!hc->hc_in_data && !hc->hc_in_rtp_data && hc->hc_rpos > 3) {
+    hc->hc_rbuf[hc->hc_rpos] = '\0';
     if (hc->hc_version == RTSP_VERSION_1_0 && hc->hc_rbuf[0] == '$')
       goto rtsp_data;
-    else if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) != NULL)
+    else if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) != NULL) {
+      delimsize = 4;
       goto header;
+    }
     if ((d = strstr(hc->hc_rbuf, "\n\n")) != NULL) {
       delimsize = 2;
       goto header;
@@ -984,13 +987,14 @@ retry:
   }
   memcpy(hc->hc_rbuf + hc->hc_rpos, buf, r);
   hc->hc_rpos += r;
-  hc->hc_rbuf[hc->hc_rpos] = '\0';
 
 next_header:
   if (hc->hc_rpos < 3)
     return HTTP_CON_RECEIVING;
   if (hc->hc_version == RTSP_VERSION_1_0 && hc->hc_rbuf[0] == '$')
     goto rtsp_data;
+  hc->hc_rbuf[hc->hc_rpos] = '\0';
+  delimsize = 4;
   if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) == NULL) {
     delimsize = 2;
     if ((d = strstr(hc->hc_rbuf, "\n\n")) == NULL)