On Mon, 19 Dec 2016, Vittorio Giovara wrote:
On Mon, Dec 19, 2016 at 9:56 PM, Martin Storsjö <mar...@martin.st> wrote:
A negative chunk size is illegal and would end up used as
length for memcpy, where it would lead to memory accesses
out of bounds.
Found-by: Paul Cher <paulc...@icloud.com>
CC: libav-sta...@libav.org
---
libavformat/http.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/http.c b/libavformat/http.c
index 8fe8d11..7e3708e 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -784,6 +784,8 @@ static int http_read_stream(URLContext *h, uint8_t *buf,
int size)
av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size:
%"PRId64"'\n",
s->chunksize);
+ if (s->chunksize < 0)
+ return AVERROR_INVALIDDATA;
if (!s->chunksize)
return 0;
This is mostly a nit, but would it make sense to coalesce the second
`if` into a `else if`?
Ok with me either way.
Pushed with this changed as suggested.
// Martin
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
