mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
ffserver: Check chunk size
Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
a5f27a9c3a
commit
a5d25faa3f
@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c)
|
|||||||
} else if (c->buffer_ptr - c->buffer >= 2 &&
|
} else if (c->buffer_ptr - c->buffer >= 2 &&
|
||||||
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
|
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
|
||||||
c->chunk_size = strtol(c->buffer, 0, 16);
|
c->chunk_size = strtol(c->buffer, 0, 16);
|
||||||
if (c->chunk_size == 0) // end of stream
|
if (c->chunk_size <= 0) { // end of stream or invalid chunk size
|
||||||
|
c->chunk_size = 0;
|
||||||
goto fail;
|
goto fail;
|
||||||
|
}
|
||||||
c->buffer_ptr = c->buffer;
|
c->buffer_ptr = c->buffer;
|
||||||
break;
|
break;
|
||||||
} else if (++loop_run > 10)
|
} else if (++loop_run > 10)
|
||||||
@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c)
|
|||||||
/* end of connection : close it */
|
/* end of connection : close it */
|
||||||
goto fail;
|
goto fail;
|
||||||
else {
|
else {
|
||||||
|
av_assert0(len <= c->chunk_size);
|
||||||
c->chunk_size -= len;
|
c->chunk_size -= len;
|
||||||
c->buffer_ptr += len;
|
c->buffer_ptr += len;
|
||||||
c->data_count += len;
|
c->data_count += len;
|
||||||
|
Loading…
Reference in New Issue
Block a user