From 909283ae5a057487265ce9d8b684cf01451d096a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 31 Jul 2017 17:11:18 +0200
Subject: http: fix response code parser to avoid integer overflow

test 1429 and 1433 were updated to work with the stricter HTTP status line
parser.

Closes #1714
Reported-by: Brian Carpenter
---
 lib/http.c          | 15 +++++++++++----
 tests/data/test1429 |  2 +-
 tests/data/test1433 | 20 ++++----------------
 3 files changed, 16 insertions(+), 21 deletions(-)

diff --git a/lib/http.c b/lib/http.c
index 319a8192c..d66b8482f 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
          * says. We try to allow any number here, but we cannot make
          * guarantees on future behaviors since it isn't within the protocol.
          */
+        char separator;
         nc = sscanf(HEADER1,
-                    " HTTP/%d.%d %d",
+                    " HTTP/%1d.%1d%c%3d",
                     &httpversion_major,
                     &conn->httpversion,
+                    &separator,
                     &k->httpcode);
 
         if(nc == 1 && httpversion_major == 2 &&
            1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) {
           conn->httpversion = 0;
-          nc = 3;
+          nc = 4;
+          separator = ' ';
         }
 
-        if(nc==3) {
+        if((nc==4) && (' ' == separator)) {
           conn->httpversion += 10 * httpversion_major;
 
           if(k->upgr101 == UPGR101_RECEIVED) {
@@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
               infof(data, "Lying server, not serving HTTP/2\n");
           }
         }
-        else {
+        else if(!nc) {
           /* this is the real world, not a Nirvana
              NCSA 1.5.x returns this crap when asked for HTTP/1.1
           */
@@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
             }
           }
         }
+        else {
+          failf(data, "Unsupported HTTP version in response\n");
+          return CURLE_UNSUPPORTED_PROTOCOL;
+        }
       }
       else if(conn->handler->protocol & CURLPROTO_RTSP) {
         nc = sscanf(HEADER1,
diff --git a/tests/data/test1429 b/tests/data/test1429
index ddf52ec42..114dc0dba 100644
--- a/tests/data/test1429
+++ b/tests/data/test1429
@@ -54,7 +54,7 @@ Content-Type: text/html
 Funny-head: yesyes
 
 -foo-
-1234
+123
 </stdout>
 <strip>
 ^User-Agent:.*
diff --git a/tests/data/test1433 b/tests/data/test1433
index 8634db2c4..a159daff3 100644
--- a/tests/data/test1433
+++ b/tests/data/test1433
@@ -34,28 +34,13 @@ http
 HTTP GET with 100-digit subversion number in response
  </name>
  <command>
-http://%HOSTIP:%HTTPPORT/1433  --write-out '%{response_code}'
+http://%HOSTIP:%HTTPPORT/1433
 </command>
 </client>
 
 #
 # Verify data after the test has been "shot"
 <verify>
-<stdout nonewline="yes">
-HTTP/1.0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 200 OK
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
--foo-
-200
-</stdout>
 <strip>
 ^User-Agent:.*
 </strip>
@@ -65,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
 Accept: */*
 
 </protocol>
+<errorcode>
+1
+</errorcode>
 </verify>
 </testcase>
-- 
cgit v1.2.3