From 91cfb115927f43fa6dc90ae9c4abdb0ed767ccb7 Mon Sep 17 00:00:00 2001
From: John Mark Bell <jmb@netsurf-browser.org>
Date: Fri, 23 Mar 2007 22:39:10 +0000
Subject: Fix crash on WWW-Authenticate header with no realm (1686714)

svn path=/trunk/netsurf/; revision=3216
---
 content/fetch.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

(limited to 'content/fetch.c')

diff --git a/content/fetch.c b/content/fetch.c
index ddffef93a..dda6e2923 100644
--- a/content/fetch.c
+++ b/content/fetch.c
@@ -1167,21 +1167,24 @@ size_t fetch_curl_header(char *data, size_t size, size_t nmemb,
 		}
 		SKIP_ST(17);
 
-		while (i < (int) size && strncasecmp(data + i, "realm", 5))
+		while (i < (int) size - 5 &&
+				strncasecmp(data + i, "realm", 5))
 			i++;
-		while (i < (int)size && data[++i] != '"')
+		while (i < (int) size - 1 && data[++i] != '"')
 			/* */;
 		i++;
 
-		strncpy(f->realm, data + i, size - i);
-		f->realm[size - i] = '\0';
-		for (i = size - i - 1; i >= 0 &&
-				(f->realm[i] == ' ' ||
-				f->realm[i] == '"' ||
-				f->realm[i] == '\t' ||
-				f->realm[i] == '\r' ||
-				f->realm[i] == '\n'); --i)
-			f->realm[i] = '\0';
+		if (i < (int) size) {
+			strncpy(f->realm, data + i, size - i);
+			f->realm[size - i] = '\0';
+			for (i = size - i - 1; i >= 0 &&
+					(f->realm[i] == ' ' ||
+					f->realm[i] == '"' ||
+					f->realm[i] == '\t' ||
+					f->realm[i] == '\r' ||
+					f->realm[i] == '\n'); --i)
+				f->realm[i] = '\0';
+		}
 #endif
 	} else if (5 < size && strncasecmp(data, "Date:", 5) == 0) {
 		/* extract Date header */
-- 
cgit v1.2.3