From patchwork Mon Dec 19 20:56:37 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: http: Check for negative chunk sizes
X-Patchwork-Submitter: =?utf-8?q?Martin_Storsj=C3=B6?= <martin@martin.st>
X-Patchwork-Id: 62510
Message-Id: <20161219205637.23895-1-martin@martin.st>
To: libav-devel@libav.org
Cc: libav-stable@libav.org
Date: Mon, 19 Dec 2016 22:56:37 +0200
From: =?utf-8?q?Martin_Storsj=C3=B6?= <martin@martin.st>
List-Id: libav development <libav-devel.libav.org>

A negative chunk size is illegal and would end up used as
length for memcpy, where it would lead to memory accesses
out of bounds.

Found-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
---
 libavformat/http.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/http.c b/libavformat/http.c
index 8fe8d11..7e3708e 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -784,6 +784,8 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
 
                 av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
                         s->chunksize);
+                if (s->chunksize < 0)
+                    return AVERROR_INVALIDDATA;
 
                 if (!s->chunksize)
                     return 0;