ffserver: local OOB write with custom program name

When the command line for children is created, it is assumed that
my_program_name always ends with "ffserver", which doesn't have to
be true if ffserver is called through a symbolic link.

In such a case, it could be that not enough space for "ffmpeg" is
available at the end, leading to a buffer overflow.

One example would be:

$ ln -s /usr/bin/ffserver ~/f; ~/f

As this is only a local buffer overflow, i.e. is based on a weird
program call, this has NO security impact.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 11 insertions, 9 deletions

diff --git a/ffserver.c b/ffserver.c
index 02a583464b..8b819b6934 100644
--- a/ffserver.c
+++ b/ffserver.c
@@ -495,20 +495,22 @@ static void start_children(FFServerStream *feed)
         return;
     }
 
-    pathname = av_strdup (my_program_name);
+    slash = strrchr(my_program_name, '/');
+    if (!slash) {
+        pathname = av_mallocz(sizeof("ffmpeg"));
+    } else {
+        pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg"));
+        if (pathname != NULL) {
+            memcpy(pathname, my_program_name, slash - my_program_name);
+        }
+    }
     if (!pathname) {
         http_log("Could not allocate memory for children cmd line\n");
         return;
     }
-   /* replace "ffserver" with "ffmpeg" in the path of current
-    * program. Ignore user provided path */
+   /* use "ffmpeg" in the path of current program. Ignore user provided path */
 
-    slash = strrchr(pathname, '/');
-    if (!slash)
-        slash = pathname;
-    else
-        slash++;
-    strcpy(slash, "ffmpeg");
+    strcat(pathname, "ffmpeg");
 
     for (; feed; feed = feed->next) {