RTSP: avoid integer overflow on funny RTSP response

... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz. Closes #1969
author: Daniel Stenberg <daniel@haxx.se> 2017-10-08 17:15:44 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2017-10-09 00:41:48 +0200
commit: 232dffcf2422baefa66617fdae2fb20085a8e386 (patch)
tree: 7c066be3e8b10c7cf9167617ac9b66e7feffaf65 /lib/http.c
parent: eb04636d68b078ac86558147ca124676f32dc285 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http.c b/lib/http.c
index 38227eb6c..b3978af42 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3387,12 +3387,14 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
         }
       }
       else if(conn->handler->protocol & CURLPROTO_RTSP) {
+        char separator;
         nc = sscanf(HEADER1,
-                    " RTSP/%d.%d %3d",
+                    " RTSP/%1d.%1d%c%3d",
                     &rtspversion_major,
                     &conn->rtspversion,
+                    &separator,
                     &k->httpcode);
-        if(nc == 3) {
+        if((nc == 4) && (' ' == separator)) {
           conn->rtspversion += 10 * rtspversion_major;
           conn->httpversion = 11; /* For us, RTSP acts like HTTP 1.1 */
         }
author	Daniel Stenberg <daniel@haxx.se>	2017-10-08 17:15:44 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2017-10-09 00:41:48 +0200
commit	232dffcf2422baefa66617fdae2fb20085a8e386 (patch)
tree	7c066be3e8b10c7cf9167617ac9b66e7feffaf65 /lib/http.c
parent	eb04636d68b078ac86558147ca124676f32dc285 (diff)