From patchwork Fri Jan 6 22:33:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tobias Stoeckmann X-Patchwork-Id: 2096 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.89.21 with SMTP id n21csp6483230vsb; Sat, 7 Jan 2017 16:38:56 -0800 (PST) X-Received: by 10.223.165.17 with SMTP id i17mr4138859wrb.62.1483835936553; Sat, 07 Jan 2017 16:38:56 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id zw7si93154764wjb.31.2017.01.07.16.38.55; Sat, 07 Jan 2017 16:38:56 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B49E668A584; Sun, 8 Jan 2017 02:38:46 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0E28D68A37D for ; Sat, 7 Jan 2017 00:32:17 +0200 (EET) Received: from localhost ([79.234.34.66]) by mrelayeu.kundenserver.de (mreue103 [212.227.15.145]) with ESMTPSA (Nemesis) id 0M3uUc-1chytB1VLu-00rZXq for ; Fri, 06 Jan 2017 23:32:23 +0100 Date: Fri, 6 Jan 2017 23:33:16 +0100 From: Tobias Stoeckmann To: ffmpeg-devel@ffmpeg.org Message-ID: <20170106223315.GA20693@localhost> MIME-Version: 1.0 Content-Disposition: inline X-Provags-ID: V03:K0:UKSBUbBsi0n9bF8GlwB7IW0V7dw0LFrn6ezC1oWRF3awZAnWM8g XesCn57ym4MnHtddiX+i2xNgnp8yKKbbNQhgJXEoObjNTaN0Ejekmj3W8UurmrIDtpJ9dah nPKiAENWotaRO9MJRUKlvtXoP4FDaPoCcio2VW/RBKqRlWY9BaxPfWTrcbvsP6l2WY0DPKf ePI9A2elqHMeB3hbNIWwQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:xcgK5AIFbjA=:NPVoB+Gfs+Wexs+4PiCBTL 3WHG97dbZzvlQhPsZQ0IawbK87K8Rl5h4yavViLCGQucyYT4MzlnGJ2z7VMLPnHch7AjbTGgF Xzum5n3FJ4ylf2WDUu3KcskEnYNXz6/kYFpSIlj7hTKiLbE2ZnK+XdJAqT74zwuiuVkcBYnfc hu+xAN8ue/+Qgpi7usOsx8UUts0aalLZVNgodSvZ348nnZvGARcmUWO/anzhH5SAvr5Qg8dGM 2C3cboJI7o7QbSuUcp78PJKglK1hZXEAZGYHLu0uj8kkjRmSEvZ5kQxwsFrepPZIvMgBODDcK YjexdNdtXuPfd5I0hp4/sn1TYjra0lqPzM/2Vvb3pCtYfI1LSheyADCNE0BkrXkRUmztFPgpZ sd2YXDXLRaZQiTvSHIGxwk2Z+ZG8T+jn0fCdAxwgauPbQmeveiKbYVclLZkDhlDKM6r9glHWs Gba0CNanzY/DRkRKKm31q4JypzA2LEjzQQvBdIVHoIUUDp2/Df4TLpTMJePpXAII4t6ss5Xwo V51T15szpMvsUYCTuozXqQz6EPUeipNtmRyOHV7SqZ5Yk+GbXTlRTDrfdqTwipnpINZIcNM4z 2GKnKDuaNfiEJHIOBnwn7O+jugP3a+Eexg8WgSK+Mi/wCHkV3DsxpLMWCV3w10foqp/BRshIc ubYyaCteR/ukOHfrmysJV2NNJ2ma95Iw18o1paiMnxgLukk1wT2+YG3OXlSYmdEnsBkQ= X-Mailman-Approved-At: Sun, 08 Jan 2017 02:38:44 +0200 Subject: [FFmpeg-devel] [PATCH] ffserver: local OOB write with custom program name X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" When the command line for children is created, it is assumed that my_program_name always ends with "ffserver", which doesn't have to be true if ffserver is called through a symbolic link. In such a case, it could be that not enough space for "ffmpeg" is available at the end, leading to a buffer overflow. One example would be: $ ln -s /usr/bin/ffserver ~/f; ~/f As this is only a local buffer overflow, i.e. is based on a weird program call, this has NO security impact. --- ffserver.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/ffserver.c b/ffserver.c index 02a583464b..8b819b6934 100644 --- a/ffserver.c +++ b/ffserver.c @@ -495,20 +495,22 @@ static void start_children(FFServerStream *feed) return; } - pathname = av_strdup (my_program_name); + slash = strrchr(my_program_name, '/'); + if (!slash) { + pathname = av_mallocz(sizeof("ffmpeg")); + } else { + pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg")); + if (pathname != NULL) { + memcpy(pathname, my_program_name, slash - my_program_name); + } + } if (!pathname) { http_log("Could not allocate memory for children cmd line\n"); return; } - /* replace "ffserver" with "ffmpeg" in the path of current - * program. Ignore user provided path */ + /* use "ffmpeg" in the path of current program. Ignore user provided path */ - slash = strrchr(pathname, '/'); - if (!slash) - slash = pathname; - else - slash++; - strcpy(slash, "ffmpeg"); + strcat(pathname, "ffmpeg"); for (; feed; feed = feed->next) {