diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2017-10-08 17:15:44 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2017-10-08 17:51:10 +0200 |
| commit | 6df6367188ea4ebacb87bd8aef6a673e94a91485 (patch) | |
| tree | 4f644c8835153c208737390bdbac4a7ea8435cd5 /lib | |
| parent | b2df2d47e58d1150f11ea2f42aac6b84fa7f4d00 (diff) | |
| download | curl-bagder/rtsp-integer-overflow.tar.gz | |
RTSP: avoid integer overflow on funny RTSP responsebagder/rtsp-integer-overflow
... like a very large non-existing RTSP version number.
Added test 577 to verify.
Detected by OSS-fuzz.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/http.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http.c b/lib/http.c index 38227eb6c..b3978af42 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3387,12 +3387,14 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, } } else if(conn->handler->protocol & CURLPROTO_RTSP) { + char separator; nc = sscanf(HEADER1, - " RTSP/%d.%d %3d", + " RTSP/%1d.%1d%c%3d", &rtspversion_major, &conn->rtspversion, + &separator, &k->httpcode); - if(nc == 3) { + if((nc == 4) && (' ' == separator)) { conn->rtspversion += 10 * rtspversion_major; conn->httpversion = 11; /* For us, RTSP acts like HTTP 1.1 */ } |