Skip to content
Permalink
Browse files Browse the repository at this point in the history
ffserver: Check chunk size
Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Dec 5, 2016
1 parent a5f27a9 commit a5d25fa
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion ffserver.c
Expand Up @@ -2738,8 +2738,10 @@ static int http_receive_data(HTTPContext *c)
} else if (c->buffer_ptr - c->buffer >= 2 &&
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
c->chunk_size = strtol(c->buffer, 0, 16);
if (c->chunk_size == 0) // end of stream
if (c->chunk_size <= 0) { // end of stream or invalid chunk size
c->chunk_size = 0;
goto fail;
}
c->buffer_ptr = c->buffer;
break;
} else if (++loop_run > 10)
Expand All @@ -2761,6 +2763,7 @@ static int http_receive_data(HTTPContext *c)
/* end of connection : close it */
goto fail;
else {
av_assert0(len <= c->chunk_size);
c->chunk_size -= len;
c->buffer_ptr += len;
c->data_count += len;
Expand Down

1 comment on commit a5d25fa

@carnil
Copy link

@carnil carnil commented on a5d25fa Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2016-10192

Please sign in to comment.