Hi,
It seems that there exists a potential integer overflow. Please find the following description:
-
n can be an arbitrary large number
|
n = recv(h->socket, buf, 2048, 0); |
-
h->req_buflen is added to n
-
Process_upnphttp(...) is called again
-
Call to realloc with the large integer can cause a memory allocation with an overflowed size
|
h->req_buf = (char *)realloc(h->req_buf, n + h->req_buflen); |
Hi,
It seems that there exists a potential integer overflow. Please find the following description:
n can be an arbitrary large number
minidlna/upnphttp.c
Line 1042 in eff7761
h->req_buflen is added to n
minidlna/upnphttp.c
Line 1060 in eff7761
Process_upnphttp(...) is called again
minidlna/minidlna.c
Line 1180 in eff7761
Call to realloc with the large integer can cause a memory allocation with an overflowed size
minidlna/upnphttp.c
Line 1088 in eff7761