cookies: strip the numerical ipv6 host properly

The commit e650dbde86d4 that stripped off [brackets] from ipv6-only host
headers for the sake of cookie parsing wrongly incremented the host
pointer which would cause a bad free() call later on.

diff --git a/lib/http.c b/lib/http.c
index a8b3e28fd9dc7142fa5bd39f392d876ba627017e..ec76bbe46be227aae6c22129cc76fe09465cac61 100644 (file)
--- a/lib/http.c
+++ b/lib/http.c
@@ -1851,9 +1851,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
          the bracket has been closed */
       int startsearch = 0;
       if(*cookiehost == '[') {
-        char *closingbracket = strchr(++cookiehost, ']');
+        char *closingbracket;
+        closingbracket = strchr(cookiehost+1, ']');
         if(closingbracket)
           *closingbracket = 0;
+        /* since the 'cookiehost' is an allocated memory area that will be
+           freed later we cannot simply increment the pointer */
+        memmove(cookiehost, cookiehost + 1, strlen(cookiehost) - 1);
       }
       else {
         char *colon = strchr(cookiehost + startsearch, ':');