Open KSB21ST opened 3 years ago
Hi, It seems that there exists a potential integer overflow. Please find the following description:
n can be an arbitrary large number https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/upnphttp.c#L1042
h->req_buflen is added to n https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/upnphttp.c#L1060
Process_upnphttp(...) is called again https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/minidlna.c#L1180
Call to realloc with the large integer can cause a memory allocation with an overflowed size https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/upnphttp.c#L1088
Hi, It seems that there exists a potential integer overflow. Please find the following description:
n can be an arbitrary large number https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/upnphttp.c#L1042
h->req_buflen is added to n https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/upnphttp.c#L1060
Process_upnphttp(...) is called again https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/minidlna.c#L1180
Call to realloc with the large integer can cause a memory allocation with an overflowed size https://github.com/azatoth/minidlna/blob/eff77615abf6087c76647ed57b8878280a6cd215/upnphttp.c#L1088