http: avoid out of bound accesses on broken Set-Cookie headers

It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty.
2025-01-24 13:56:33 +02:00 · 2018-03-08 04:47:40 +01:00 · 2018-03-08 04:47:40 +01:00 · c0687acbf6
commit c0687acbf6
parent 39c1d170a3
1 changed files with 3 additions and 0 deletions
--- a/libavformat/http.c
+++ b/libavformat/http.c
@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict)
 {
    char *param, *next_param, *cstr, *back;

+    if (!set_cookie[0])
+        return 0;
+
    if (!(cstr = av_strdup(set_cookie)))
        return AVERROR(EINVAL);