diff options
author | Daniel Stenberg <daniel@haxx.se> | 2017-10-08 17:15:44 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-10-09 00:41:48 +0200 |
commit | 232dffcf2422baefa66617fdae2fb20085a8e386 (patch) | |
tree | 7c066be3e8b10c7cf9167617ac9b66e7feffaf65 /lib/http.c | |
parent | eb04636d68b078ac86558147ca124676f32dc285 (diff) | |
download | curl-232dffcf2422baefa66617fdae2fb20085a8e386.tar.gz |
RTSP: avoid integer overflow on funny RTSP response
... like a very large non-existing RTSP version number.
Added test 577 to verify.
Detected by OSS-fuzz.
Closes #1969
Diffstat (limited to 'lib/http.c')
-rw-r--r-- | lib/http.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http.c b/lib/http.c index 38227eb6c..b3978af42 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3387,12 +3387,14 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, } } else if(conn->handler->protocol & CURLPROTO_RTSP) { + char separator; nc = sscanf(HEADER1, - " RTSP/%d.%d %3d", + " RTSP/%1d.%1d%c%3d", &rtspversion_major, &conn->rtspversion, + &separator, &k->httpcode); - if(nc == 3) { + if((nc == 4) && (' ' == separator)) { conn->rtspversion += 10 * rtspversion_major; conn->httpversion = 11; /* For us, RTSP acts like HTTP 1.1 */ } |