http client: fix possible out-of-range data access, fixes #3611

tvheadend · Mar 24, 2016 · 41707e1 · 41707e1
1 parent 465f64c
commit 41707e1
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/src/httpc.c b/src/httpc.c
@@ -901,7 +901,7 @@ static int
 http_client_run0( http_client_t *hc )
 {
   char *buf, *saveptr, *argv[3], *d, *p;
-  int ver, res, delimsize = 4;
+  int ver, res, delimsize;
   ssize_t r;
   size_t len;
 
@@ -929,10 +929,13 @@ http_client_run0( http_client_t *hc )
 
   buf = alloca(hc->hc_io_size);
   if (!hc->hc_in_data && !hc->hc_in_rtp_data && hc->hc_rpos > 3) {
+    hc->hc_rbuf[hc->hc_rpos] = '\0';
     if (hc->hc_version == RTSP_VERSION_1_0 && hc->hc_rbuf[0] == '$')
       goto rtsp_data;
-    else if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) != NULL)
+    else if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) != NULL) {
+      delimsize = 4;
       goto header;
+    }
     if ((d = strstr(hc->hc_rbuf, "\n\n")) != NULL) {
       delimsize = 2;
       goto header;
@@ -984,13 +987,14 @@ http_client_run0( http_client_t *hc )
   }
   memcpy(hc->hc_rbuf + hc->hc_rpos, buf, r);
   hc->hc_rpos += r;
-  hc->hc_rbuf[hc->hc_rpos] = '\0';
 
 next_header:
   if (hc->hc_rpos < 3)
     return HTTP_CON_RECEIVING;
   if (hc->hc_version == RTSP_VERSION_1_0 && hc->hc_rbuf[0] == '$')
     goto rtsp_data;
+  hc->hc_rbuf[hc->hc_rpos] = '\0';
+  delimsize = 4;
   if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) == NULL) {
     delimsize = 2;
     if ((d = strstr(hc->hc_rbuf, "\n\n")) == NULL)