From 24b37f4859f716c86ad2649837b32184818a5da0 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
Date: Sun, 2 Nov 2014 17:06:40 +0200
Subject: [PATCH] httpcookies: fix heap read overflow (fixes #12674)

Cc: Antti Ajanki <antti.ajanki@iki.fi>
---
 src/misc/httpcookies.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/misc/httpcookies.c b/src/misc/httpcookies.c
index 453688096f..7bd9850df6 100644
--- a/src/misc/httpcookies.c
+++ b/src/misc/httpcookies.c
@@ -332,10 +332,16 @@ static bool cookie_domain_matches( const http_cookie_t * cookie, const char *hos
 
     size_t host_len = strlen(host);
     size_t cookie_domain_len = strlen(cookie->psz_domain);
-    int i = host_len - cookie_domain_len;
-    bool is_suffix = ( i > 0 ) &&
-        vlc_ascii_strcasecmp( &host[i], cookie->psz_domain ) == 0;
-    bool has_dot_before_suffix = host[i-1] == '.';
+    bool is_suffix = false, has_dot_before_suffix = false;
+
+    if( host_len > cookie_domain_len )
+    {
+        size_t i = host_len - cookie_domain_len;
+
+        is_suffix = vlc_ascii_strcasecmp( &host[i], cookie->psz_domain ) == 0;
+        has_dot_before_suffix = host[i-1] == '.';
+    }
+
     bool host_is_ipv4 = strspn(host, "0123456789.") == host_len;
     bool host_is_ipv6 = strchr(host, ':') != NULL;
     return is_suffix && has_dot_before_suffix &&
-- 
2.39.2