diff mbox

[FFmpeg-devel] tools/zmqsend: Avoid mem copy past the end of input buffer

Message ID 20190808143710.21498-1-andriy.gelman@gmail.com
State Accepted
Commit 90e965be6d90fcf729b020dba675b062b59ee17d
Headers show

Commit Message

Andriy Gelman Aug. 8, 2019, 2:37 p.m. UTC 
From: Andriy Gelman <andriy.gelman@gmail.com>

This patch avoids a read past the end of the input buffer in memcpy since the size
of the received zmq message is recv_buf_size - 1.
---
 tools/zmqsend.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul B Mahol Aug. 8, 2019, 3:19 p.m. UTC | #1 
On Thu, Aug 8, 2019 at 4:44 PM Andriy Gelman <andriy.gelman@gmail.com>
wrote:

> From: Andriy Gelman <andriy.gelman@gmail.com>
>
> This patch avoids a read past the end of the input buffer in memcpy since
> the size
> of the received zmq message is recv_buf_size - 1.
> ---
>  tools/zmqsend.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/zmqsend.c b/tools/zmqsend.c
> index 7bd7fe4199..f26fa9c1c2 100644
> --- a/tools/zmqsend.c
> +++ b/tools/zmqsend.c
> @@ -155,7 +155,7 @@ int main(int argc, char **argv)
>          ret = 1;
>          goto end;
>      }
> -    memcpy(recv_buf, zmq_msg_data(&msg), recv_buf_size);
> +    memcpy(recv_buf, zmq_msg_data(&msg), recv_buf_size - 1);
>      recv_buf[recv_buf_size-1] = 0;
>      printf("%s\n", recv_buf);
>      zmq_msg_close(&msg);
> --
> 2.22.0
>
>
LGTM


> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Aug. 9, 2019, 9:52 p.m. UTC | #2 
On Thu, Aug 08, 2019 at 05:19:54PM +0200, Paul B Mahol wrote:
> On Thu, Aug 8, 2019 at 4:44 PM Andriy Gelman <andriy.gelman@gmail.com>
> wrote:
> 
> > From: Andriy Gelman <andriy.gelman@gmail.com>
> >
> > This patch avoids a read past the end of the input buffer in memcpy since
> > the size
> > of the received zmq message is recv_buf_size - 1.
> > ---
> >  tools/zmqsend.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/tools/zmqsend.c b/tools/zmqsend.c
> > index 7bd7fe4199..f26fa9c1c2 100644
> > --- a/tools/zmqsend.c
> > +++ b/tools/zmqsend.c
> > @@ -155,7 +155,7 @@ int main(int argc, char **argv)
> >          ret = 1;
> >          goto end;
> >      }
> > -    memcpy(recv_buf, zmq_msg_data(&msg), recv_buf_size);
> > +    memcpy(recv_buf, zmq_msg_data(&msg), recv_buf_size - 1);
> >      recv_buf[recv_buf_size-1] = 0;
> >      printf("%s\n", recv_buf);
> >      zmq_msg_close(&msg);
> > --
> > 2.22.0
> >
> >
> LGTM

will apply

thanks

[...]
diff mbox

Patch

diff --git a/tools/zmqsend.c b/tools/zmqsend.c
index 7bd7fe4199..f26fa9c1c2 100644
--- a/tools/zmqsend.c
+++ b/tools/zmqsend.c
@@ -155,7 +155,7 @@  int main(int argc, char **argv)
         ret = 1;
         goto end;
     }
-    memcpy(recv_buf, zmq_msg_data(&msg), recv_buf_size);
+    memcpy(recv_buf, zmq_msg_data(&msg), recv_buf_size - 1);
     recv_buf[recv_buf_size-1] = 0;
     printf("%s\n", recv_buf);
     zmq_msg_close(&msg);