From 97b66ebefe2090aea734af57c5e7e182a97f20bb Mon Sep 17 00:00:00 2001
From: Andrei Cipu <acipu@ixiacom.com>
Date: Thu, 22 Mar 2012 08:52:45 +0100
Subject: [PATCH] cookies: strip the numerical ipv6 host properly

The commit e650dbde86d4 that stripped off [brackets] from ipv6-only host
headers for the sake of cookie parsing wrongly incremented the host
pointer which would cause a bad free() call later on.
---
 lib/http.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/http.c b/lib/http.c
index a8b3e28fd..ec76bbe46 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1851,9 +1851,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
          the bracket has been closed */
       int startsearch = 0;
       if(*cookiehost == '[') {
-        char *closingbracket = strchr(++cookiehost, ']');
+        char *closingbracket;
+        closingbracket = strchr(cookiehost+1, ']');
         if(closingbracket)
           *closingbracket = 0;
+        /* since the 'cookiehost' is an allocated memory area that will be
+           freed later we cannot simply increment the pointer */
+        memmove(cookiehost, cookiehost + 1, strlen(cookiehost) - 1);
       }
       else {
         char *colon = strchr(cookiehost + startsearch, ':');