[FFmpeg-cvslog] ffserver: Check chunk size
Michael Niedermayer
git at videolan.org
Mon Dec 5 23:05:18 EET 2016
ffmpeg | branch: release/3.1 | Michael Niedermayer <michael at niedermayer.cc> | Mon Dec 5 17:27:45 2016 +0100| [37904d11779482f375b13da24f33f75daf13638f] | committer: Michael Niedermayer
ffserver: Check chunk size
Fixes out of array access
Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher at icloud.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37904d11779482f375b13da24f33f75daf13638f
---
ffserver.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ffserver.c b/ffserver.c
index 453d790..aec808e 100644
--- a/ffserver.c
+++ b/ffserver.c
@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c)
} else if (c->buffer_ptr - c->buffer >= 2 &&
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
c->chunk_size = strtol(c->buffer, 0, 16);
- if (c->chunk_size == 0) // end of stream
+ if (c->chunk_size <= 0) { // end of stream or invalid chunk size
+ c->chunk_size = 0;
goto fail;
+ }
c->buffer_ptr = c->buffer;
break;
} else if (++loop_run > 10)
@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c)
/* end of connection : close it */
goto fail;
else {
+ av_assert0(len <= c->chunk_size);
c->chunk_size -= len;
c->buffer_ptr += len;
c->data_count += len;
More information about the ffmpeg-cvslog
mailing list