main: fix two one-byte overreads in header_value()

By passing specially crafted header values, the skip loops in the
header_value() function may override the input buffer by one byte
each.

Reported-by: Jinwei Dong <jwdong2000@qq.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/main.c b/main.c
index e55051e3bd01b16584a40cc15a9e4f28cf351c73..8ca4c046d96eefe88aa8221e93814d0de7a0994c 100644 (file)
--- a/main.c
+++ b/main.c
@@ -314,21 +314,21 @@ header_value(multipart_parser *p, const char *data, size_t len)
        if (len < 10 || strncasecmp(data, "form-data", 9))
                return 0;
 
-       for (data += 9, len -= 9; *data == ' ' || *data == ';'; data++, len--);
+       for (data += 9, len -= 9; len > 0 && (*data == ' ' || *data == ';'); data++, len--);
 
        if (len < 8 || strncasecmp(data, "name=\"", 6))
                return 0;
 
-       for (data += 6, len -= 6, i = 0; i <= len; i++)
+       for (data += 6, len -= 6, i = 1; i < len; i++)
        {
-               if (*(data + i) != '"')
-                       continue;
-
-               for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
-                       if (!strncmp(data, parts[j], i))
-                               st.parttype = j;
+               if (data[i] == '"')
+               {
+                       for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
+                               if (!strncmp(data, parts[j], i - 1))
+                                       st.parttype = j;
 
-               break;
+                       break;
+               }
        }
 
        return 0;