[FFmpeg-devel] [PATCH] bprint: Remove custom vsnprintf
Ronald S. Bultje
rsbultje at gmail.com
Sun Sep 9 12:15:27 CEST 2012
Hi,
On Sun, Sep 9, 2012 at 11:05 AM, Nicolas George
<nicolas.george at normalesup.org> wrote:
> Le duodi 22 fructidor, an CCXX, Derek Buitenhuis a écrit :
>> A proper implementation was introduced in
>> ba537202801d71711f1ef9306a6248dd2d426fa0 for MSVC, and
>> MinGW already has vsnprintf.
>
> Unless I am mistaken, this implementation can not be used for bprint: it
> never returns a value larger than the provided buffer
Speaking of - ffmpeg relies on the opposite behaviour in quite a few
cases. E.g. ffserver.c:
q += snprintf(q, q - (char *) c->buffer + c->buffer_size,
"HTTP/1.0 200 OK\r\n");
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Pragma:
no-cache\r\n");
q += snprintf(q, q - (char *) c->buffer + c->buffer_size,
"Server: Cougar 4.1.0.3923\r\nCache-Control: no-cache\r\nPragma:
client-id=%d\r\nPragma: features=\"broadcast\"\r\n",
c->wmp_client_id);
q += snprintf(q, q - (char *) c->buffer + c->buffer_size,
"Content-Type: %s\r\n", mime_type);
q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "\r\n");
q += snprintf(q, c->buffer_size,
All of these are exploitable bugs in violation of the C spec.
Ronald
More information about the ffmpeg-devel
mailing list