summaryrefslogtreecommitdiff
path: root/lib/cookie.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2019-09-18 14:29:35 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-09-21 16:07:52 +0200
commit0801343e27d4540afcdbbd8fe46aabaddd9da321 (patch)
treefac733b7ecfd00cd6e00f3b7ff9291485412f56b /lib/cookie.c
parent47066036a084a9ba0caf46db24072a429c44fabb (diff)
downloadcurl-0801343e27d4540afcdbbd8fe46aabaddd9da321.tar.gz
cookie: pass in the correct cookie amount to qsort()
As the loop discards cookies without domain set. This bug would lead to qsort() trying to sort uninitialized pointers. We have however not found it a security problem. Reported-by: Paul Dreik Closes #4386
Diffstat (limited to 'lib/cookie.c')
-rw-r--r--lib/cookie.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index 53ca40237..0e71129de 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1528,28 +1528,28 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere)
if(c->numcookies) {
unsigned int i;
- unsigned int j;
+ size_t nvalid = 0;
struct Cookie **array;
- array = malloc(sizeof(struct Cookie *) * c->numcookies);
+ array = calloc(1, sizeof(struct Cookie *) * c->numcookies);
if(!array) {
if(!use_stdout)
fclose(out);
return 1;
}
- j = 0;
+ /* only sort the cookies with a domain property */
for(i = 0; i < COOKIE_HASH_SIZE; i++) {
for(co = c->cookies[i]; co; co = co->next) {
if(!co->domain)
continue;
- array[j++] = co;
+ array[nvalid++] = co;
}
}
- qsort(array, c->numcookies, sizeof(struct Cookie *), cookie_sort_ct);
+ qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct);
- for(i = 0; i < j; i++) {
+ for(i = 0; i < nvalid; i++) {
char *format_ptr = get_netscape_format(array[i]);
if(format_ptr == NULL) {
fprintf(out, "#\n# Fatal libcurl error\n");