[vlc-commits] httpd: Fix potential out of bound write
Hugo Beauzée-Luyssen
git at videolan.org
Wed Jun 27 11:25:02 CEST 2018
vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Wed Jun 27 11:06:42 2018 +0200| [d087a5f90abe4250ea7f3552f5031834abb689bd] | committer: Hugo Beauzée-Luyssen
httpd: Fix potential out of bound write
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=d087a5f90abe4250ea7f3552f5031834abb689bd
---
src/network/httpd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/network/httpd.c b/src/network/httpd.c
index 49c1471c96..65e718a197 100644
--- a/src/network/httpd.c
+++ b/src/network/httpd.c
@@ -1312,7 +1312,8 @@ static void httpd_ClientRecv(httpd_client_t *cl)
cl->i_state = HTTPD_CLIENT_RECEIVE_DONE;
} else for (;;) { /* we are reading a header -> char by char */
if (cl->i_buffer == cl->i_buffer_size) {
- uint8_t *newbuf = realloc(cl->p_buffer, cl->i_buffer_size + 1024);
+ // Allocate an extra byte for the termination null byte
+ uint8_t *newbuf = realloc(cl->p_buffer, cl->i_buffer_size + 1025);
if (!newbuf) {
i_len = 0;
break;
@@ -1893,7 +1894,8 @@ static void httpdLoop(httpd_host_t *host)
cl->i_buffer = 0;
cl->i_buffer_size = 1000;
free(cl->p_buffer);
- cl->p_buffer = xmalloc(cl->i_buffer_size);
+ // Allocate an extra byte for the null terminating byte
+ cl->p_buffer = xmalloc(cl->i_buffer_size + 1);
cl->i_state = HTTPD_CLIENT_RECEIVING;
} else
cl->i_state = HTTPD_CLIENT_DEAD;
More information about the vlc-commits
mailing list