aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Storsjö <martin@martin.st>2016-12-15 10:24:20 +0200
committerMartin Storsjö <martin@martin.st>2016-12-23 21:28:05 +0200
commit131644677970a3c4a0096270ea2a5b5d437c2e63 (patch)
tree8c92cbe843536284e2dc95ff7a4a0f46827d7a3e
parent0b77a5933635293508e7289e7cf191ed166cf070 (diff)
downloadffmpeg-131644677970a3c4a0096270ea2a5b5d437c2e63.tar.gz
http: Check for negative chunk sizes
A negative chunk size is illegal and would end up used as length for memcpy, where it would lead to memory accesses out of bounds. Found-by: Paul Cher <paulcher@icloud.com> CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r--libavformat/http.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libavformat/http.c b/libavformat/http.c
index 8fe8d11e1e..00cf295001 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -784,8 +784,9 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
s->chunksize);
-
- if (!s->chunksize)
+ if (s->chunksize < 0)
+ return AVERROR_INVALIDDATA;
+ else if (!s->chunksize)
return 0;
break;
}