virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00
Code Issues Releases Activity

ffserver: fix unsafe snprintf() return usage.

Browse Source 
Found-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-09-09 14:10:11 +02:00
parent 9c6af3a3db
commit 1fc3e8f4ea
1 changed files with 23 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
ffserver.c
View File

@ -1566,7 +1566,7 @@ static int http_parse_request(HTTPContext *c)
if (stream->stream_type == STREAM_TYPE_REDIRECT) { if (stream->stream_type == STREAM_TYPE_REDIRECT) {
c->http_error = 301; c->http_error = 301;
q = c->buffer; q = c->buffer;
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 301 Moved\r\n" "HTTP/1.0 301 Moved\r\n"
"Location: %s\r\n" "Location: %s\r\n"
"Content-type: text/html\r\n" "Content-type: text/html\r\n"
@ -1574,6 +1574,7 @@ static int http_parse_request(HTTPContext *c)
"<html><head><title>Moved</title></head><body>\r\n" "<html><head><title>Moved</title></head><body>\r\n"
"You should be <a href=\"%s\">redirected</a>.\r\n" "You should be <a href=\"%s\">redirected</a>.\r\n"
"</body></html>\r\n", stream->feed_filename, stream->feed_filename); "</body></html>\r\n", stream->feed_filename, stream->feed_filename);
q += strlen(q);
/* prepare output buffer */ /* prepare output buffer */
c->buffer_ptr = c->buffer; c->buffer_ptr = c->buffer;
c->buffer_end = q; c->buffer_end = q;
@ -1604,7 +1605,7 @@ static int http_parse_request(HTTPContext *c)
if (c->post == 0 && max_bandwidth < current_bandwidth) { if (c->post == 0 && max_bandwidth < current_bandwidth) {
c->http_error = 503; c->http_error = 503;
q = c->buffer; q = c->buffer;
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 503 Server too busy\r\n" "HTTP/1.0 503 Server too busy\r\n"
"Content-type: text/html\r\n" "Content-type: text/html\r\n"
"\r\n" "\r\n"
@ -1613,6 +1614,7 @@ static int http_parse_request(HTTPContext *c)
"<p>The bandwidth being served (including your stream) is %"PRIu64"kbit/sec, " "<p>The bandwidth being served (including your stream) is %"PRIu64"kbit/sec, "
"and this exceeds the limit of %"PRIu64"kbit/sec.</p>\r\n" "and this exceeds the limit of %"PRIu64"kbit/sec.</p>\r\n"
"</body></html>\r\n", current_bandwidth, max_bandwidth); "</body></html>\r\n", current_bandwidth, max_bandwidth);
q += strlen(q);
/* prepare output buffer */ /* prepare output buffer */
c->buffer_ptr = c->buffer; c->buffer_ptr = c->buffer;
c->buffer_end = q; c->buffer_end = q;
@ -1655,7 +1657,7 @@ static int http_parse_request(HTTPContext *c)
q = c->buffer; q = c->buffer;
switch(redir_type) { switch(redir_type) {
case REDIR_ASX: case REDIR_ASX:
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 200 ASX Follows\r\n" "HTTP/1.0 200 ASX Follows\r\n"
"Content-type: video/x-ms-asf\r\n" "Content-type: video/x-ms-asf\r\n"
"\r\n" "\r\n"
@ -1663,22 +1665,25 @@ static int http_parse_request(HTTPContext *c)
//"<!-- Autogenerated by ffserver -->\r\n" //"<!-- Autogenerated by ffserver -->\r\n"
"<ENTRY><REF HREF=\"http://%s/%s%s\"/></ENTRY>\r\n" "<ENTRY><REF HREF=\"http://%s/%s%s\"/></ENTRY>\r\n"
"</ASX>\r\n", hostbuf, filename, info); "</ASX>\r\n", hostbuf, filename, info);
q += strlen(q);
break; break;
case REDIR_RAM: case REDIR_RAM:
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 200 RAM Follows\r\n" "HTTP/1.0 200 RAM Follows\r\n"
"Content-type: audio/x-pn-realaudio\r\n" "Content-type: audio/x-pn-realaudio\r\n"
"\r\n" "\r\n"
"# Autogenerated by ffserver\r\n" "# Autogenerated by ffserver\r\n"
"http://%s/%s%s\r\n", hostbuf, filename, info); "http://%s/%s%s\r\n", hostbuf, filename, info);
q += strlen(q);
break; break;
case REDIR_ASF: case REDIR_ASF:
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 200 ASF Redirect follows\r\n" "HTTP/1.0 200 ASF Redirect follows\r\n"
"Content-type: video/x-ms-asf\r\n" "Content-type: video/x-ms-asf\r\n"
"\r\n" "\r\n"
"[Reference]\r\n" "[Reference]\r\n"
"Ref1=http://%s/%s%s\r\n", hostbuf, filename, info); "Ref1=http://%s/%s%s\r\n", hostbuf, filename, info);
q += strlen(q);
break; break;
case REDIR_RTSP: case REDIR_RTSP:
{ {
@ -1688,12 +1693,13 @@ static int http_parse_request(HTTPContext *c)
p = strrchr(hostname, ':'); p = strrchr(hostname, ':');
if (p) if (p)
*p = '\0'; *p = '\0';
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 200 RTSP Redirect follows\r\n" "HTTP/1.0 200 RTSP Redirect follows\r\n"
/* XXX: incorrect mime type ? */ /* XXX: incorrect mime type ? */
"Content-type: application/x-rtsp\r\n" "Content-type: application/x-rtsp\r\n"
"\r\n" "\r\n"
"rtsp://%s:%d/%s\r\n", hostname, ntohs(my_rtsp_addr.sin_port), filename); "rtsp://%s:%d/%s\r\n", hostname, ntohs(my_rtsp_addr.sin_port), filename);
q += strlen(q);
} }
break; break;
case REDIR_SDP: case REDIR_SDP:
@ -1702,10 +1708,11 @@ static int http_parse_request(HTTPContext *c)
int sdp_data_size, len; int sdp_data_size, len;
struct sockaddr_in my_addr; struct sockaddr_in my_addr;
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 200 OK\r\n" "HTTP/1.0 200 OK\r\n"
"Content-type: application/sdp\r\n" "Content-type: application/sdp\r\n"
"\r\n"); "\r\n");
q += strlen(q);
len = sizeof(my_addr); len = sizeof(my_addr);
getsockname(c->fd, (struct sockaddr *)&my_addr, &len); getsockname(c->fd, (struct sockaddr *)&my_addr, &len);
@ -1824,12 +1831,12 @@ static int http_parse_request(HTTPContext *c)
} }
/* prepare http header */ /* prepare http header */
q = c->buffer; c->buffer[0] = 0;
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "HTTP/1.0 200 OK\r\n"); av_strlcatf(c->buffer, c->buffer_size, "HTTP/1.0 200 OK\r\n");
mime_type = c->stream->fmt->mime_type; mime_type = c->stream->fmt->mime_type;
if (!mime_type) if (!mime_type)
mime_type = "application/x-octet-stream"; mime_type = "application/x-octet-stream";
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Pragma: no-cache\r\n"); av_strlcatf(c->buffer, c->buffer_size, "Pragma: no-cache\r\n");
/* for asf, we need extra headers */ /* for asf, we need extra headers */
if (!strcmp(c->stream->fmt->name,"asf_stream")) { if (!strcmp(c->stream->fmt->name,"asf_stream")) {
@ -1837,10 +1844,11 @@ static int http_parse_request(HTTPContext *c)
c->wmp_client_id = av_lfg_get(&random_state); c->wmp_client_id = av_lfg_get(&random_state);
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Server: Cougar 4.1.0.3923\r\nCache-Control: no-cache\r\nPragma: client-id=%d\r\nPragma: features=\"broadcast\"\r\n", c->wmp_client_id); av_strlcatf(c->buffer, c->buffer_size, "Server: Cougar 4.1.0.3923\r\nCache-Control: no-cache\r\nPragma: client-id=%d\r\nPragma: features=\"broadcast\"\r\n", c->wmp_client_id);
} }
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Content-Type: %s\r\n", mime_type); av_strlcatf(c->buffer, c->buffer_size, "Content-Type: %s\r\n", mime_type);
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "\r\n"); av_strlcatf(c->buffer, c->buffer_size, "\r\n");
q = c->buffer + strlen(c->buffer);
/* prepare output buffer */ /* prepare output buffer */
c->http_error = 0; c->http_error = 0;
@ -1851,7 +1859,7 @@ static int http_parse_request(HTTPContext *c)
send_error: send_error:
c->http_error = 404; c->http_error = 404;
q = c->buffer; q = c->buffer;
q += snprintf(q, c->buffer_size, snprintf(q, c->buffer_size,
"HTTP/1.0 404 Not Found\r\n" "HTTP/1.0 404 Not Found\r\n"
"Content-type: text/html\r\n" "Content-type: text/html\r\n"
"\r\n" "\r\n"
@ -1859,6 +1867,7 @@ static int http_parse_request(HTTPContext *c)
"<head><title>404 Not Found</title></head>\n" "<head><title>404 Not Found</title></head>\n"
"<body>%s</body>\n" "<body>%s</body>\n"
"</html>\n", msg); "</html>\n", msg);
q += strlen(q);
/* prepare output buffer */ /* prepare output buffer */
c->buffer_ptr = c->buffer; c->buffer_ptr = c->buffer;
c->buffer_end = q; c->buffer_end = q;