On Tue, 13 Feb 2018, Sean McGovern wrote:

Using strcmp() with constant arrays in recent versions of GCC,
the compiler will "optimize" the calls to use memcmp() instead.

This can be problematic as some implementations of memcmp() are written
to compare full words at a time which can cause an out-of-bounds read.

Avoid the invalid read by using strncmp() instead.
---
libavformat/network.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/network.c b/libavformat/network.c
index 86d7955..2bbbb93 100644
--- a/libavformat/network.c
+++ b/libavformat/network.c
@@ -252,7 +252,7 @@ static int match_host_pattern(const char *pattern, const 
char *hostname)
    if (len_p > len_h)
        return 0;
    // Simply check if the end of hostname is equal to 'pattern'
-    if (!strcmp(pattern, &hostname[len_h - len_p])) {
+    if (!strncmp(pattern, &hostname[len_h - len_p], len_h)) {
        if (len_h == len_p)
            return 1; // Exact match
        if (hostname[len_h - len_p - 1] == '.')
--
2.7.4

Despite the commit message, I don't really understand what's happening. Can you give a more detailed explanation? I don't want to obfuscate code to dance around optimizations unless I at least understand why and how.

// Martin
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to