It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty. --- libavformat/http.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/libavformat/http.c b/libavformat/http.c index d7a72e7129..59f90ac603 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict) { char *param, *next_param, *cstr, *back; + if (!set_cookie[0]) + return 0; + if (!(cstr = av_strdup(set_cookie))) return AVERROR(EINVAL); -- 2.16.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel