Fixes out of array access
Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
... | ... |
@@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c) |
2738 | 2738 |
} else if (c->buffer_ptr - c->buffer >= 2 && |
2739 | 2739 |
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) { |
2740 | 2740 |
c->chunk_size = strtol(c->buffer, 0, 16); |
2741 |
- if (c->chunk_size == 0) // end of stream |
|
2741 |
+ if (c->chunk_size <= 0) { // end of stream or invalid chunk size |
|
2742 |
+ c->chunk_size = 0; |
|
2742 | 2743 |
goto fail; |
2744 |
+ } |
|
2743 | 2745 |
c->buffer_ptr = c->buffer; |
2744 | 2746 |
break; |
2745 | 2747 |
} else if (++loop_run > 10) |
... | ... |
@@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c) |
2761 | 2761 |
/* end of connection : close it */ |
2762 | 2762 |
goto fail; |
2763 | 2763 |
else { |
2764 |
+ av_assert0(len <= c->chunk_size); |
|
2764 | 2765 |
c->chunk_size -= len; |
2765 | 2766 |
c->buffer_ptr += len; |
2766 | 2767 |
c->data_count += len; |