diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-09-18 14:29:35 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-20 08:58:33 +0200 |
commit | bc7014e7f8177cfc1a279bc6bd6621405595107d (patch) | |
tree | bc9df18fa0cabb3903ce8efdc91f538c3998c4d1 | |
parent | 1c02a4e8747defab6607e90173d294875eb73ba1 (diff) | |
download | curl-bagder/cookies-qsort.tar.gz |
cookie: pass in the correct cookie amount to qsort()bagder/cookies-qsort
As the loop discards cookies without domain set. This bug would lead to
qsort() trying to sort uninitialized pointers. We have however not found
it a security problem.
Reported-by: Paul Dreik
-rw-r--r-- | lib/cookie.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index 53ca40237..0e71129de 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -1528,28 +1528,28 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) if(c->numcookies) { unsigned int i; - unsigned int j; + size_t nvalid = 0; struct Cookie **array; - array = malloc(sizeof(struct Cookie *) * c->numcookies); + array = calloc(1, sizeof(struct Cookie *) * c->numcookies); if(!array) { if(!use_stdout) fclose(out); return 1; } - j = 0; + /* only sort the cookies with a domain property */ for(i = 0; i < COOKIE_HASH_SIZE; i++) { for(co = c->cookies[i]; co; co = co->next) { if(!co->domain) continue; - array[j++] = co; + array[nvalid++] = co; } } - qsort(array, c->numcookies, sizeof(struct Cookie *), cookie_sort_ct); + qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct); - for(i = 0; i < j; i++) { + for(i = 0; i < nvalid; i++) { char *format_ptr = get_netscape_format(array[i]); if(format_ptr == NULL) { fprintf(out, "#\n# Fatal libcurl error\n"); |