On Mon, Dec 19, 2016 at 9:56 PM, Martin Storsjö <[email protected]> wrote: > A negative chunk size is illegal and would end up used as > length for memcpy, where it would lead to memory accesses > out of bounds. > > Found-by: Paul Cher <[email protected]> > > CC: [email protected] > --- > libavformat/http.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/http.c b/libavformat/http.c > index 8fe8d11..7e3708e 100644 > --- a/libavformat/http.c > +++ b/libavformat/http.c > @@ -784,6 +784,8 @@ static int http_read_stream(URLContext *h, uint8_t *buf, > int size) > > av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: > %"PRId64"'\n", > s->chunksize); > + if (s->chunksize < 0) > + return AVERROR_INVALIDDATA; > > if (!s->chunksize) > return 0;
This is mostly a nit, but would it make sense to coalesce the second `if` into a `else if`? Ok with me either way. -- Vittorio _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
