Skip to content

F
ffmpeg.wasm-core
Commit a5d25faa authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

ffserver: Check chunk size 

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: 's avatarPaul Cher <paulcher@icloud.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent a5f27a9c
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
ffserver.c
View file @ a5d25faa
...@@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c) ...@@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c)
} else if (c->buffer_ptr - c->buffer >= 2 && } else if (c->buffer_ptr - c->buffer >= 2 &&
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) { !memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
c->chunk_size = strtol(c->buffer, 0, 16); c->chunk_size = strtol(c->buffer, 0, 16);
if (c->chunk_size == 0) // end of stream if (c->chunk_size <= 0) { // end of stream or invalid chunk size
c->chunk_size = 0;
goto fail; goto fail;
}
c->buffer_ptr = c->buffer; c->buffer_ptr = c->buffer;
break; break;
} else if (++loop_run > 10) } else if (++loop_run > 10)
...@@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c) ...@@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c)
/* end of connection : close it */ /* end of connection : close it */
goto fail; goto fail;
else { else {
av_assert0(len <= c->chunk_size);
c->chunk_size -= len; c->chunk_size -= len;
c->buffer_ptr += len; c->buffer_ptr += len;
c->data_count += len; c->data_count += len;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment