[vlc-commits] httpd: Fix potential out of bound write

Hugo Beauzée-Luyssen git at videolan.org
Thu Jul 5 11:42:27 CEST 2018


vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Wed Jun 27 11:06:42 2018 +0200| [8dd42113957a2f9a9b60c540585f64066141e631] | committer: Hugo Beauzée-Luyssen

httpd: Fix potential out of bound write

(cherry picked from commit d087a5f90abe4250ea7f3552f5031834abb689bd)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=8dd42113957a2f9a9b60c540585f64066141e631
---

 src/network/httpd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/network/httpd.c b/src/network/httpd.c
index e517206232..f0790694ff 100644
--- a/src/network/httpd.c
+++ b/src/network/httpd.c
@@ -1315,7 +1315,8 @@ static void httpd_ClientRecv(httpd_client_t *cl)
             cl->i_state = HTTPD_CLIENT_RECEIVE_DONE;
     } else for (;;) { /* we are reading a header -> char by char */
         if (cl->i_buffer == cl->i_buffer_size) {
-            uint8_t *newbuf = realloc(cl->p_buffer, cl->i_buffer_size + 1024);
+            // Allocate an extra byte for the termination null byte
+            uint8_t *newbuf = realloc(cl->p_buffer, cl->i_buffer_size + 1025);
             if (!newbuf) {
                 i_len = 0;
                 break;
@@ -1897,7 +1898,8 @@ static void httpdLoop(httpd_host_t *host)
                         cl->i_buffer = 0;
                         cl->i_buffer_size = 1000;
                         free(cl->p_buffer);
-                        cl->p_buffer = xmalloc(cl->i_buffer_size);
+                        // Allocate an extra byte for the null terminating byte
+                        cl->p_buffer = xmalloc(cl->i_buffer_size + 1);
                         cl->i_state = HTTPD_CLIENT_RECEIVING;
                     } else
                         cl->i_state = HTTPD_CLIENT_DEAD;



More information about the vlc-commits mailing list