Changeset View
Changeset View
Standalone View
Standalone View
head/multimedia/mythtv/files/patch-CVE-2016-10192
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
From c12ee64e80af2517005231388fdf4ea78f16bb0e Mon Sep 17 00:00:00 2001 | |||||
From: Michael Niedermayer <michael@niedermayer.cc> | |||||
Date: Mon, 5 Dec 2016 17:27:45 +0100 | |||||
Subject: [PATCH] ffserver: Check chunk size | |||||
Fixes out of array access | |||||
Fixes: poc_ffserver.py | |||||
Found-by: Paul Cher <paulcher@icloud.com> | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156) | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
--- | |||||
ffserver.c | 5 ++++- | |||||
1 file changed, 4 insertions(+), 1 deletion(-) | |||||
diff --git ffserver.c ffserver.c | |||||
index 453d790e6cd..aec808e78cb 100644 | |||||
--- external/FFmpeg/ffserver.c.orig | |||||
+++ external/FFmpeg/ffserver.c | |||||
@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c) | |||||
} else if (c->buffer_ptr - c->buffer >= 2 && | |||||
!memcmp(c->buffer_ptr - 1, "\r\n", 2)) { | |||||
c->chunk_size = strtol(c->buffer, 0, 16); | |||||
- if (c->chunk_size == 0) // end of stream | |||||
+ if (c->chunk_size <= 0) { // end of stream or invalid chunk size | |||||
+ c->chunk_size = 0; | |||||
goto fail; | |||||
+ } | |||||
c->buffer_ptr = c->buffer; | |||||
break; | |||||
} else if (++loop_run > 10) | |||||
@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c) | |||||
/* end of connection : close it */ | |||||
goto fail; | |||||
else { | |||||
+ av_assert0(len <= c->chunk_size); | |||||
c->chunk_size -= len; | |||||
c->buffer_ptr += len; | |||||
c->data_count += len; |