diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2016-12-05 17:27:45 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-12-05 22:05:37 +0100 |
commit | 1768e02a046ac05cb212991ae23021ad412cd15a (patch) | |
tree | 32209e8db97b4153903d49b3a3fb065bc7f00d12 /ffserver.c | |
parent | e0d1db72dadfa5330c2b9b70c6bb1baa9f17e6fe (diff) | |
download | ffmpeg-1768e02a046ac05cb212991ae23021ad412cd15a.tar.gz |
ffserver: Check chunk size
Fixes out of array access
Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'ffserver.c')
-rw-r--r-- | ffserver.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ffserver.c b/ffserver.c index d73caee9ec..5ce439a0df 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2701,8 +2701,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) @@ -2724,6 +2726,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; |