diff options
author | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2006-06-04 22:41:27 +0000 |
---|---|---|
committer | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2006-06-04 22:41:27 +0000 |
commit | 9da93175794398fefeb45c6c53abdcdeda325101 (patch) | |
tree | 1dad782a7785b845d9bfc950631e91c01369154b /libmpdemux/http.c | |
parent | b4ddc383ef4e4d537417999e390ab90631e7b6aa (diff) | |
download | mpv-9da93175794398fefeb45c6c53abdcdeda325101.tar.bz2 mpv-9da93175794398fefeb45c6c53abdcdeda325101.tar.xz |
Fix potential integer overflows in memory allocation.
Patch by Rich and me
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@18559 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux/http.c')
-rw-r--r-- | libmpdemux/http.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libmpdemux/http.c b/libmpdemux/http.c index 95ad075333..d175c9b8a3 100644 --- a/libmpdemux/http.c +++ b/libmpdemux/http.c @@ -315,6 +315,10 @@ int http_response_append( HTTP_header_t *http_hdr, char *response, int length ) { if( http_hdr==NULL || response==NULL || length<0 ) return -1; + if( (unsigned)length > SIZE_MAX - http_hdr->buffer_size - 1) { + mp_msg(MSGT_NETWORK,MSGL_FATAL,"Bad size in memory (re)allocation\n"); + return -1; + } http_hdr->buffer = (char*)realloc( http_hdr->buffer, http_hdr->buffer_size+length+1 ); if( http_hdr->buffer==NULL ) { mp_msg(MSGT_NETWORK,MSGL_FATAL,"Memory (re)allocation failed\n"); @@ -340,7 +344,8 @@ int http_response_parse( HTTP_header_t *http_hdr ) { char *hdr_ptr, *ptr; char *field=NULL; - int pos_hdr_sep, hdr_sep_len, len; + int pos_hdr_sep, hdr_sep_len; + size_t len; if( http_hdr==NULL ) return -1; if( http_hdr->is_parsed ) return 0; |