When the command line for children is created, it is assumed that
my_program_name always ends with "ffserver", which doesn't have to
be true if ffserver is called through a symbolic link.
In such a case, it could be that not enough space for "ffmpeg" is
available at the end, leading to a buffer overflow.
One example would be:
$ ln -s /usr/bin/ffserver ~/f; ~/f
As this is only a local buffer overflow, i.e. is based on a weird
program call, this has NO security impact.
---
ffserver.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/ffserver.c b/ffserver.c
index 02a583464b..8b819b6934 100644
--- a/ffserver.c
+++ b/ffserver.c
@@ -495,20 +495,22 @@ static void start_children(FFServerStream *feed)
return;
}
- pathname = av_strdup (my_program_name);
+ slash = strrchr(my_program_name, '/');
+ if (!slash) {
+ pathname = av_mallocz(sizeof("ffmpeg"));
+ } else {
+ pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg"));
+ if (pathname != NULL) {
+ memcpy(pathname, my_program_name, slash - my_program_name);
+ }
+ }
if (!pathname) {
http_log("Could not allocate memory for children cmd line\n");
return;
}
- /* replace "ffserver" with "ffmpeg" in the path of current
- * program. Ignore user provided path */
+ /* use "ffmpeg" in the path of current program. Ignore user provided path */
- slash = strrchr(pathname, '/');
- if (!slash)
- slash = pathname;
- else
- slash++;
- strcpy(slash, "ffmpeg");
+ strcat(pathname, "ffmpeg");
for (; feed; feed = feed->next) {
--
2.11.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
