Commit 37904d11 authored by Michael Niedermayer's avatar Michael Niedermayer

ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: 's avatarPaul Cher <paulcher@icloud.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa)
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 518934b5
......@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c)
} else if (c->buffer_ptr - c->buffer >= 2 &&
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
c->chunk_size = strtol(c->buffer, 0, 16);
if (c->chunk_size == 0) // end of stream
if (c->chunk_size <= 0) { // end of stream or invalid chunk size
c->chunk_size = 0;
goto fail;
}
c->buffer_ptr = c->buffer;
break;
} else if (++loop_run > 10)
......@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c)
/* end of connection : close it */
goto fail;
else {
av_assert0(len <= c->chunk_size);
c->chunk_size -= len;
c->buffer_ptr += len;
c->data_count += len;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment