moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-15 05:55:04 -05:00
Code Issues Releases Wiki Activity

cookie: pass in the correct cookie amount to qsort()

Browse Source 
As the loop discards cookies without domain set. This bug would lead to
qsort() trying to sort uninitialized pointers. We have however not found
it a security problem.

Reported-by: Paul Dreik
Closes #4386
This commit is contained in:
Daniel Stenberg 2019-09-18 14:29:35 +02:00
parent 47066036a0
commit 0801343e27
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/cookie.c
View File

@ -1528,28 +1528,28 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere)
if(c->numcookies) {
unsigned int i;
unsigned int j;
size_t nvalid = 0;
struct Cookie **array;
array = malloc(sizeof(struct Cookie *) * c->numcookies);
array = calloc(1, sizeof(struct Cookie *) * c->numcookies);
if(!array) {
if(!use_stdout)
fclose(out);
return 1;
}
j = 0;
/* only sort the cookies with a domain property */
for(i = 0; i < COOKIE_HASH_SIZE; i++) {
for(co = c->cookies[i]; co; co = co->next) {
if(!co->domain)
continue;
array[j++] = co;
array[nvalid++] = co;
}
}
qsort(array, c->numcookies, sizeof(struct Cookie *), cookie_sort_ct);
qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct);
for(i = 0; i < j; i++) {
for(i = 0; i < nvalid; i++) {
char *format_ptr = get_netscape_format(array[i]);
if(format_ptr == NULL) {
fprintf(out, "#\n# Fatal libcurl error\n");