[FFmpeg-cvslog] ffserver: fix unsafe snprintf() return usage.
Michael Niedermayer
git at videolan.org
Sun Sep 9 14:23:15 CEST 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Sep 9 14:10:11 2012 +0200| [1fc3e8f4ea49d01b2eab609ff94fa6c860da0043] | committer: Michael Niedermayer
ffserver: fix unsafe snprintf() return usage.
Found-by: "Ronald S. Bultje" <rsbultje at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1fc3e8f4ea49d01b2eab609ff94fa6c860da0043
---
ffserver.c | 37 +++++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 14 deletions(-)
diff --git a/ffserver.c b/ffserver.c
index 2bd92a1..bd8d95e 100644
--- a/ffserver.c
+++ b/ffserver.c
@@ -1566,7 +1566,7 @@ static int http_parse_request(HTTPContext *c)
if (stream->stream_type == STREAM_TYPE_REDIRECT) {
c->http_error = 301;
q = c->buffer;
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 301 Moved\r\n"
"Location: %s\r\n"
"Content-type: text/html\r\n"
@@ -1574,6 +1574,7 @@ static int http_parse_request(HTTPContext *c)
"<html><head><title>Moved</title></head><body>\r\n"
"You should be <a href=\"%s\">redirected</a>.\r\n"
"</body></html>\r\n", stream->feed_filename, stream->feed_filename);
+ q += strlen(q);
/* prepare output buffer */
c->buffer_ptr = c->buffer;
c->buffer_end = q;
@@ -1604,7 +1605,7 @@ static int http_parse_request(HTTPContext *c)
if (c->post == 0 && max_bandwidth < current_bandwidth) {
c->http_error = 503;
q = c->buffer;
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 503 Server too busy\r\n"
"Content-type: text/html\r\n"
"\r\n"
@@ -1613,6 +1614,7 @@ static int http_parse_request(HTTPContext *c)
"<p>The bandwidth being served (including your stream) is %"PRIu64"kbit/sec, "
"and this exceeds the limit of %"PRIu64"kbit/sec.</p>\r\n"
"</body></html>\r\n", current_bandwidth, max_bandwidth);
+ q += strlen(q);
/* prepare output buffer */
c->buffer_ptr = c->buffer;
c->buffer_end = q;
@@ -1655,7 +1657,7 @@ static int http_parse_request(HTTPContext *c)
q = c->buffer;
switch(redir_type) {
case REDIR_ASX:
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 200 ASX Follows\r\n"
"Content-type: video/x-ms-asf\r\n"
"\r\n"
@@ -1663,22 +1665,25 @@ static int http_parse_request(HTTPContext *c)
//"<!-- Autogenerated by ffserver -->\r\n"
"<ENTRY><REF HREF=\"http://%s/%s%s\"/></ENTRY>\r\n"
"</ASX>\r\n", hostbuf, filename, info);
+ q += strlen(q);
break;
case REDIR_RAM:
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 200 RAM Follows\r\n"
"Content-type: audio/x-pn-realaudio\r\n"
"\r\n"
"# Autogenerated by ffserver\r\n"
"http://%s/%s%s\r\n", hostbuf, filename, info);
+ q += strlen(q);
break;
case REDIR_ASF:
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 200 ASF Redirect follows\r\n"
"Content-type: video/x-ms-asf\r\n"
"\r\n"
"[Reference]\r\n"
"Ref1=http://%s/%s%s\r\n", hostbuf, filename, info);
+ q += strlen(q);
break;
case REDIR_RTSP:
{
@@ -1688,12 +1693,13 @@ static int http_parse_request(HTTPContext *c)
p = strrchr(hostname, ':');
if (p)
*p = '\0';
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 200 RTSP Redirect follows\r\n"
/* XXX: incorrect mime type ? */
"Content-type: application/x-rtsp\r\n"
"\r\n"
"rtsp://%s:%d/%s\r\n", hostname, ntohs(my_rtsp_addr.sin_port), filename);
+ q += strlen(q);
}
break;
case REDIR_SDP:
@@ -1702,10 +1708,11 @@ static int http_parse_request(HTTPContext *c)
int sdp_data_size, len;
struct sockaddr_in my_addr;
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 200 OK\r\n"
"Content-type: application/sdp\r\n"
"\r\n");
+ q += strlen(q);
len = sizeof(my_addr);
getsockname(c->fd, (struct sockaddr *)&my_addr, &len);
@@ -1824,12 +1831,12 @@ static int http_parse_request(HTTPContext *c)
}
/* prepare http header */
- q = c->buffer;
- q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "HTTP/1.0 200 OK\r\n");
+ c->buffer[0] = 0;
+ av_strlcatf(c->buffer, c->buffer_size, "HTTP/1.0 200 OK\r\n");
mime_type = c->stream->fmt->mime_type;
if (!mime_type)
mime_type = "application/x-octet-stream";
- q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Pragma: no-cache\r\n");
+ av_strlcatf(c->buffer, c->buffer_size, "Pragma: no-cache\r\n");
/* for asf, we need extra headers */
if (!strcmp(c->stream->fmt->name,"asf_stream")) {
@@ -1837,10 +1844,11 @@ static int http_parse_request(HTTPContext *c)
c->wmp_client_id = av_lfg_get(&random_state);
- q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Server: Cougar 4.1.0.3923\r\nCache-Control: no-cache\r\nPragma: client-id=%d\r\nPragma: features=\"broadcast\"\r\n", c->wmp_client_id);
+ av_strlcatf(c->buffer, c->buffer_size, "Server: Cougar 4.1.0.3923\r\nCache-Control: no-cache\r\nPragma: client-id=%d\r\nPragma: features=\"broadcast\"\r\n", c->wmp_client_id);
}
- q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Content-Type: %s\r\n", mime_type);
- q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "\r\n");
+ av_strlcatf(c->buffer, c->buffer_size, "Content-Type: %s\r\n", mime_type);
+ av_strlcatf(c->buffer, c->buffer_size, "\r\n");
+ q = c->buffer + strlen(c->buffer);
/* prepare output buffer */
c->http_error = 0;
@@ -1851,7 +1859,7 @@ static int http_parse_request(HTTPContext *c)
send_error:
c->http_error = 404;
q = c->buffer;
- q += snprintf(q, c->buffer_size,
+ snprintf(q, c->buffer_size,
"HTTP/1.0 404 Not Found\r\n"
"Content-type: text/html\r\n"
"\r\n"
@@ -1859,6 +1867,7 @@ static int http_parse_request(HTTPContext *c)
"<head><title>404 Not Found</title></head>\n"
"<body>%s</body>\n"
"</html>\n", msg);
+ q += strlen(q);
/* prepare output buffer */
c->buffer_ptr = c->buffer;
c->buffer_end = q;
More information about the ffmpeg-cvslog
mailing list