--- /dev/null
+From f28015671a4b04785859d1b4b1327b367b6a10e9 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 24 Jul 2018 09:28:43 +0100
+Subject: [PATCH] Fix buffer overflow in extract_status_code()
+
+Issue #960 identified that the buffer allocated for copying the
+HTTP status code could overflow if the http response was corrupted.
+
+This commit changes the way the status code is read, avoids copying
+data, and also ensures that the status code is three digits long,
+is non-negative and occurs on the first line of the response.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ lib/html.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/lib/html.c b/lib/html.c
+index 5a3eaeac..69d3bd2d 100644
+--- a/lib/html.c
++++ b/lib/html.c
+@@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size)
+ */
+ int extract_status_code(char *buffer, size_t size)
+ {
+- char *buf_code;
+- char *begin;
+ char *end = buffer + size;
+- size_t inc = 0;
+- int code;
+-
+- /* Allocate the room */
+- buf_code = (char *)MALLOC(10);
++ unsigned long code;
+
+ /* Status-Code extraction */
+- while (buffer < end && *buffer++ != ' ') ;
+- begin = buffer;
+- while (buffer < end && *buffer++ != ' ')
+- inc++;
+- strncat(buf_code, begin, inc);
+- code = atoi(buf_code);
+- FREE(buf_code);
++ while (buffer < end && *buffer != ' ' && *buffer != '\r')
++ buffer++;
++ buffer++;
++ if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ')
++ return 0;
++ code = strtoul(buffer, &end, 10);
++ if (buffer + 3 != end)
++ return 0;
+ return code;
+ }
+
+--
+2.20.1
+
projects / feed / packages.git / commitdiff