--- mpg123-0.59r/httpget.c.cve-2007-0578 2007-02-02 08:55:00.000000000 -0700 +++ mpg123-0.59r/httpget.c 2007-02-02 09:12:22.000000000 -0700 @@ -53,7 +53,7 @@ void writestring (int fd, char *string) } } -void readstring (char *string, int maxlen, FILE *f) +int readstring (char *string, int maxlen, FILE *f) { #if 0 char *result; @@ -74,6 +74,8 @@ void readstring (char *string, int maxle } } string[pos] = 0; + + return pos; #if 0 do { result = fgets(string, maxlen, f); @@ -197,6 +199,7 @@ int http_open (char *url) unsigned int myport; int sock; int relocate, numrelocs = 0; + int ret = 0; /* return value from readstring */ struct sockaddr_in server; FILE *myfile; @@ -307,7 +310,23 @@ int http_open (char *url) }; relocate = FALSE; purl[0] = '\0'; - readstring (request, linelength-1, myfile); + #define safe_readstring \ + ret = readstring(request, linelength-1, myfile); \ + if(ret == linelength-1) \ + { \ + fprintf(stderr, "%s\n", "HTTP response line exceeds max. length"); \ + close(sock); \ + sock = -1; \ + goto exit; \ + } \ + else if(ret < 0) \ + { \ + fprintf(stderr, "%s\n", "readstring failed"); \ + close(sock); \ + sock = -1; \ + goto exit; \ + } + safe_readstring; if ((sptr = strchr(request, ' '))) { switch (sptr[1]) { case '3': @@ -321,7 +340,7 @@ int http_open (char *url) } } do { - readstring (request, linelength-1, myfile); + safe_readstring; if (!strncmp(request, "Location:", 9)) strncpy (purl, request+10, 1023); } while (request[0] != '\r' && request[0] != '\n'); @@ -330,8 +349,9 @@ int http_open (char *url) fprintf (stderr, "Too many HTTP relocations.\n"); exit (1); } - free (purl); - free (request); +exit: + if(purl != NULL) free(purl); + if(request != NULL) free(request); return sock; } @@ -349,7 +369,7 @@ void writestring (int fd, char *string) { } -void readstring (char *string, int maxlen, FILE *f) +int readstring (char *string, int maxlen, FILE *f) { }