Browse code
ffserver: Check chunk size
Fixes out of array access
Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2016/12/06 01:27:45Showing 1 changed files
| ... | ... |
@@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c) |
| 2738 | 2738 |
} else if (c->buffer_ptr - c->buffer >= 2 && |
| 2739 | 2739 |
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
|
| 2740 | 2740 |
c->chunk_size = strtol(c->buffer, 0, 16); |
| 2741 |
- if (c->chunk_size == 0) // end of stream |
|
| 2741 |
+ if (c->chunk_size <= 0) { // end of stream or invalid chunk size
|
|
| 2742 |
+ c->chunk_size = 0; |
|
| 2742 | 2743 |
goto fail; |
| 2744 |
+ } |
|
| 2743 | 2745 |
c->buffer_ptr = c->buffer; |
| 2744 | 2746 |
break; |
| 2745 | 2747 |
} else if (++loop_run > 10) |
| ... | ... |
@@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c) |
| 2761 | 2761 |
/* end of connection : close it */ |
| 2762 | 2762 |
goto fail; |
| 2763 | 2763 |
else {
|
| 2764 |
+ av_assert0(len <= c->chunk_size); |
|
| 2764 | 2765 |
c->chunk_size -= len; |
| 2765 | 2766 |
c->buffer_ptr += len; |
| 2766 | 2767 |
c->data_count += len; |