soup-message-io: prevent a possible out-of-bounds memory access

author Dan Winship <danw@gnome.org>

Wed, 22 Feb 2012 18:29:55 +0000 (13:29 -0500)

committer Dan Winship <danw@gnome.org>

Wed, 22 Feb 2012 18:30:30 +0000 (13:30 -0500)
author Dan Winship <danw@gnome.org>
Wed, 22 Feb 2012 18:29:55 +0000 (13:29 -0500)
committer Dan Winship <danw@gnome.org>
Wed, 22 Feb 2012 18:30:30 +0000 (13:30 -0500)
diff --git a/libsoup/soup-message-io.c b/libsoup/soup-message-io.c

index 16eea04..cf2a2e3 100644 (file)
--- a/libsoup/soup-message-io.c
+++ b/libsoup/soup-message-io.c
@@ -316,12 +316,12 @@ read_metadata (SoupMessage *msg, gboolean to_blank)
                 if (got_lf) {
                         if (!to_blank)
                                 break;
-                       if (nread == 1 &&
+                       if (nread == 1 && io->read_meta_buf->len >= 2 &&
                             !strncmp ((char *)io->read_meta_buf->data +
                                       io->read_meta_buf->len - 2,
                                       "\n\n", 2))
                                 break;
-                       else if (nread == 2 &&
+                       else if (nread == 2 && io->read_meta_buf->len >= 3 &&
                                  !strncmp ((char *)io->read_meta_buf->data +
                                            io->read_meta_buf->len - 3,
                                            "\n\r\n", 3))
author	Dan Winship <danw@gnome.org>
	Wed, 22 Feb 2012 18:29:55 +0000 (13:29 -0500)
committer	Dan Winship <danw@gnome.org>
	Wed, 22 Feb 2012 18:30:30 +0000 (13:30 -0500)