When the command line for children is created, it is assumed that
my_program_name always ends with "ffserver", which doesn't have to
be true if ffserver is called through a symbolic link.
In such a case, it could be that not enough space for "ffmpeg" is
available at the end, leading to a buffer overflow.
One example would be:
$ ln -s /usr/bin/ffserver ~/f; ~/f
As this is only a local buffer overflow, i.e. is based on a weird
program call, this has NO security impact.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
... | ... |
@@ -495,20 +495,22 @@ static void start_children(FFServerStream *feed) |
495 | 495 |
return; |
496 | 496 |
} |
497 | 497 |
|
498 |
- pathname = av_strdup (my_program_name); |
|
498 |
+ slash = strrchr(my_program_name, '/'); |
|
499 |
+ if (!slash) { |
|
500 |
+ pathname = av_mallocz(sizeof("ffmpeg")); |
|
501 |
+ } else { |
|
502 |
+ pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg")); |
|
503 |
+ if (pathname != NULL) { |
|
504 |
+ memcpy(pathname, my_program_name, slash - my_program_name); |
|
505 |
+ } |
|
506 |
+ } |
|
499 | 507 |
if (!pathname) { |
500 | 508 |
http_log("Could not allocate memory for children cmd line\n"); |
501 | 509 |
return; |
502 | 510 |
} |
503 |
- /* replace "ffserver" with "ffmpeg" in the path of current |
|
504 |
- * program. Ignore user provided path */ |
|
511 |
+ /* use "ffmpeg" in the path of current program. Ignore user provided path */ |
|
505 | 512 |
|
506 |
- slash = strrchr(pathname, '/'); |
|
507 |
- if (!slash) |
|
508 |
- slash = pathname; |
|
509 |
- else |
|
510 |
- slash++; |
|
511 |
- strcpy(slash, "ffmpeg"); |
|
513 |
+ strcat(pathname, "ffmpeg"); |
|
512 | 514 |
|
513 | 515 |
for (; feed; feed = feed->next) { |
514 | 516 |
|