A negative chunk size is illegal and would end up used as length for memcpy, where it would lead to memory accesses out of bounds.
Found-by: Paul Cher <[email protected]> CC: [email protected] --- libavformat/http.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index 8fe8d11..7e3708e 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -784,6 +784,8 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n", s->chunksize); + if (s->chunksize < 0) + return AVERROR_INVALIDDATA; if (!s->chunksize) return 0; -- 2.10.1 (Apple Git-78) _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
