From a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 17:27:45 +0100 Subject: [PATCH] ffserver: Check chunk size Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher Signed-off-by: Michael Niedermayer --- ffserver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index 3ff761f68f..02a583464b 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) @@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len;