1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2016-12-05 17:27:45 +01:00
parent a5f27a9c3a
commit a5d25faa3f

View File

@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c)
} else if (c->buffer_ptr - c->buffer >= 2 && } else if (c->buffer_ptr - c->buffer >= 2 &&
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) { !memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
c->chunk_size = strtol(c->buffer, 0, 16); c->chunk_size = strtol(c->buffer, 0, 16);
if (c->chunk_size == 0) // end of stream if (c->chunk_size <= 0) { // end of stream or invalid chunk size
c->chunk_size = 0;
goto fail; goto fail;
}
c->buffer_ptr = c->buffer; c->buffer_ptr = c->buffer;
break; break;
} else if (++loop_run > 10) } else if (++loop_run > 10)
@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c)
/* end of connection : close it */ /* end of connection : close it */
goto fail; goto fail;
else { else {
av_assert0(len <= c->chunk_size);
c->chunk_size -= len; c->chunk_size -= len;
c->buffer_ptr += len; c->buffer_ptr += len;
c->data_count += len; c->data_count += len;