aboutsummaryrefslogtreecommitdiffstats
path: root/ffserver.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2016-12-05 17:27:45 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2016-12-05 22:05:37 +0100
commit1768e02a046ac05cb212991ae23021ad412cd15a (patch)
tree32209e8db97b4153903d49b3a3fb065bc7f00d12 /ffserver.c
parente0d1db72dadfa5330c2b9b70c6bb1baa9f17e6fe (diff)
downloadffmpeg-1768e02a046ac05cb212991ae23021ad412cd15a.tar.gz
ffserver: Check chunk size
Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'ffserver.c')
-rw-r--r--ffserver.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/ffserver.c b/ffserver.c
index d73caee9ec..5ce439a0df 100644
--- a/ffserver.c
+++ b/ffserver.c
@@ -2701,8 +2701,10 @@ static int http_receive_data(HTTPContext *c)
} else if (c->buffer_ptr - c->buffer >= 2 &&
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
c->chunk_size = strtol(c->buffer, 0, 16);
- if (c->chunk_size == 0) // end of stream
+ if (c->chunk_size <= 0) { // end of stream or invalid chunk size
+ c->chunk_size = 0;
goto fail;
+ }
c->buffer_ptr = c->buffer;
break;
} else if (++loop_run > 10)
@@ -2724,6 +2726,7 @@ static int http_receive_data(HTTPContext *c)
/* end of connection : close it */
goto fail;
else {
+ av_assert0(len <= c->chunk_size);
c->chunk_size -= len;
c->buffer_ptr += len;
c->data_count += len;