ffserver: local OOB write with custom program name

When the command line for children is created, it is assumed that
my_program_name always ends with "ffserver", which doesn't have to
be true if ffserver is called through a symbolic link.

In such a case, it could be that not enough space for "ffmpeg" is
available at the end, leading to a buffer overflow.

One example would be:

$ ln -s /usr/bin/ffserver ~/f; ~/f

As this is only a local buffer overflow, i.e. is based on a weird
program call, this has NO security impact.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
pull/234/merge
Tobias Stoeckmann 8 years ago committed by Michael Niedermayer
parent fd010406c0
commit 95d9a85ca3
  1. 20
      ffserver.c

@ -495,20 +495,22 @@ static void start_children(FFServerStream *feed)
return;
}
pathname = av_strdup (my_program_name);
slash = strrchr(my_program_name, '/');
if (!slash) {
pathname = av_mallocz(sizeof("ffmpeg"));
} else {
pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg"));
if (pathname != NULL) {
memcpy(pathname, my_program_name, slash - my_program_name);
}
}
if (!pathname) {
http_log("Could not allocate memory for children cmd line\n");
return;
}
/* replace "ffserver" with "ffmpeg" in the path of current
* program. Ignore user provided path */
/* use "ffmpeg" in the path of current program. Ignore user provided path */
slash = strrchr(pathname, '/');
if (!slash)
slash = pathname;
else
slash++;
strcpy(slash, "ffmpeg");
strcat(pathname, "ffmpeg");
for (; feed; feed = feed->next) {

Loading…
Cancel
Save