[vlc-commits] httpd: Fix potential out of bound write
Hugo Beauzée-Luyssen
git at videolan.org
Thu Jul 5 11:42:27 CEST 2018
vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Wed Jun 27 11:06:42 2018 +0200| [8dd42113957a2f9a9b60c540585f64066141e631] | committer: Hugo Beauzée-Luyssen
httpd: Fix potential out of bound write
(cherry picked from commit d087a5f90abe4250ea7f3552f5031834abb689bd)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=8dd42113957a2f9a9b60c540585f64066141e631
---
src/network/httpd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/network/httpd.c b/src/network/httpd.c
index e517206232..f0790694ff 100644
--- a/src/network/httpd.c
+++ b/src/network/httpd.c
@@ -1315,7 +1315,8 @@ static void httpd_ClientRecv(httpd_client_t *cl)
cl->i_state = HTTPD_CLIENT_RECEIVE_DONE;
} else for (;;) { /* we are reading a header -> char by char */
if (cl->i_buffer == cl->i_buffer_size) {
- uint8_t *newbuf = realloc(cl->p_buffer, cl->i_buffer_size + 1024);
+ // Allocate an extra byte for the termination null byte
+ uint8_t *newbuf = realloc(cl->p_buffer, cl->i_buffer_size + 1025);
if (!newbuf) {
i_len = 0;
break;
@@ -1897,7 +1898,8 @@ static void httpdLoop(httpd_host_t *host)
cl->i_buffer = 0;
cl->i_buffer_size = 1000;
free(cl->p_buffer);
- cl->p_buffer = xmalloc(cl->i_buffer_size);
+ // Allocate an extra byte for the null terminating byte
+ cl->p_buffer = xmalloc(cl->i_buffer_size + 1);
cl->i_state = HTTPD_CLIENT_RECEIVING;
} else
cl->i_state = HTTPD_CLIENT_DEAD;
More information about the vlc-commits
mailing list