(trunk libT) #2965: "buffer overflow if too many tr= args in a magnet link" -- fixed...

diff --git a/libtransmission/magnet.c b/libtransmission/magnet.c
index 6ccd9191f79b6ef9a6f97ab396829ff7c8f42ddc..bff04c29a8197e0dc9d283b20d81e792aa87ac28 100644 (file)
--- a/libtransmission/magnet.c
+++ b/libtransmission/magnet.c
@@ -151,10 +151,10 @@ tr_magnetParse( const char * uri )
             if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) )
                 displayName = tr_http_unescape( val, vallen );
 
-            if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) )
+            if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && ( trCount < MAX_TRACKERS ) )
                 tr[trCount++] = tr_http_unescape( val, vallen );
 
-            if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) )
+            if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && ( wsCount < MAX_TRACKERS ) )
                 ws[wsCount++] = tr_http_unescape( val, vallen );
 
             walk = next != NULL ? next + 1 : NULL;