ffmpeg | branch: release/3.0 | Michael Niedermayer <mich...@niedermayer.cc> | Mon Dec 5 17:27:45 2016 +0100| [1768e02a046ac05cb212991ae23021ad412cd15a] | committer: Michael Niedermayer
ffserver: Check chunk size Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher <paulc...@icloud.com> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1768e02a046ac05cb212991ae23021ad412cd15a --- ffserver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index d73caee..5ce439a 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2701,8 +2701,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) @@ -2724,6 +2726,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
