By passing specially crafted header values, the skip loops in the
header_value() function may override the input buffer by one byte
each.
Reported-by: Jinwei Dong <jwdong2000@qq.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
if (len < 10 || strncasecmp(data, "form-data", 9))
return 0;
if (len < 10 || strncasecmp(data, "form-data", 9))
return 0;
- for (data += 9, len -= 9; *data == ' ' || *data == ';'; data++, len--);
+ for (data += 9, len -= 9; len > 0 && (*data == ' ' || *data == ';'); data++, len--);
if (len < 8 || strncasecmp(data, "name=\"", 6))
return 0;
if (len < 8 || strncasecmp(data, "name=\"", 6))
return 0;
- for (data += 6, len -= 6, i = 0; i <= len; i++)
+ for (data += 6, len -= 6, i = 1; i < len; i++)
- if (*(data + i) != '"')
- continue;
-
- for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
- if (!strncmp(data, parts[j], i))
- st.parttype = j;
+ if (data[i] == '"')
+ {
+ for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
+ if (!strncmp(data, parts[j], i - 1))
+ st.parttype = j;