Browse code
ffserver: local OOB write with custom program name
When the command line for children is created, it is assumed that
my_program_name always ends with "ffserver", which doesn't have to
be true if ffserver is called through a symbolic link.
In such a case, it could be that not enough space for "ffmpeg" is
available at the end, leading to a buffer overflow.
One example would be:
$ ln -s /usr/bin/ffserver ~/f; ~/f
As this is only a local buffer overflow, i.e. is based on a weird
program call, this has NO security impact.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Tobias Stoeckmann authored on 2017/01/07 07:33:16Showing 1 changed files
| ... | ... |
@@ -495,20 +495,22 @@ static void start_children(FFServerStream *feed) |
| 495 | 495 |
return; |
| 496 | 496 |
} |
| 497 | 497 |
|
| 498 |
- pathname = av_strdup (my_program_name); |
|
| 498 |
+ slash = strrchr(my_program_name, '/'); |
|
| 499 |
+ if (!slash) {
|
|
| 500 |
+ pathname = av_mallocz(sizeof("ffmpeg"));
|
|
| 501 |
+ } else {
|
|
| 502 |
+ pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg"));
|
|
| 503 |
+ if (pathname != NULL) {
|
|
| 504 |
+ memcpy(pathname, my_program_name, slash - my_program_name); |
|
| 505 |
+ } |
|
| 506 |
+ } |
|
| 499 | 507 |
if (!pathname) {
|
| 500 | 508 |
http_log("Could not allocate memory for children cmd line\n");
|
| 501 | 509 |
return; |
| 502 | 510 |
} |
| 503 |
- /* replace "ffserver" with "ffmpeg" in the path of current |
|
| 504 |
- * program. Ignore user provided path */ |
|
| 511 |
+ /* use "ffmpeg" in the path of current program. Ignore user provided path */ |
|
| 505 | 512 |
|
| 506 |
- slash = strrchr(pathname, '/'); |
|
| 507 |
- if (!slash) |
|
| 508 |
- slash = pathname; |
|
| 509 |
- else |
|
| 510 |
- slash++; |
|
| 511 |
- strcpy(slash, "ffmpeg"); |
|
| 513 |
+ strcat(pathname, "ffmpeg"); |
|
| 512 | 514 |
|
| 513 | 515 |
for (; feed; feed = feed->next) {
|
| 514 | 516 |
|