http: Check for negative chunk sizes

A negative chunk size is illegal and would end up used as length for memcpy, where it would lead to memory accesses out of bounds. Found-by: Paul Cher <paulcher@icloud.com> CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>

http: Check for negative chunk sizes
A negative chunk size is illegal and would end up used as length for memcpy, where it would lead to memory accesses out of bounds. Found-by: Paul Cher <paulcher@icloud.com> CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
13164467 · Martin Storsjö · 0b77a593 · 13164467
Commit 13164467 authored Dec 15, 2016 by Martin Storsjö
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

http.c libavformat/http.c +3 -2

No files found.
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -784,8 +784,9 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
                av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
                        s->chunksize);
+                if (s->chunksize < 0)
-                if (!s->chunksize)
+                    return AVERROR_INVALIDDATA;
+                else if (!s->chunksize)
                    return 0;
                break;
            }