[FFmpeg-devel] [PATCH] bprint: Remove custom vsnprintf

Nicolas George nicolas.george at normalesup.org
Sun Sep 9 12:22:40 CEST 2012


Le quartidi 24 fructidor, an CCXX, Ronald S. Bultje a écrit :
> Speaking of - ffmpeg relies on the opposite behaviour in quite a few
> cases. E.g. ffserver.c:
> 
>     q += snprintf(q, q - (char *) c->buffer + c->buffer_size,
> "HTTP/1.0 200 OK\r\n");
>     q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "Pragma:
> no-cache\r\n");
>         q += snprintf(q, q - (char *) c->buffer + c->buffer_size,
> "Server: Cougar 4.1.0.3923\r\nCache-Control: no-cache\r\nPragma:
> client-id=%d\r\nPragma: features=\"broadcast\"\r\n",
> c->wmp_client_id);
>     q += snprintf(q, q - (char *) c->buffer + c->buffer_size,
> "Content-Type: %s\r\n", mime_type);
>     q += snprintf(q, q - (char *) c->buffer + c->buffer_size, "\r\n");
>     q += snprintf(q, c->buffer_size,

I would not say that ffmpeg relies on the opposite behaviour: rather, it
ignores the problem completely.

> All of these are exploitable bugs in violation of the C spec.

You are completely right on that. bprint was written specifically to replace
this kind of invalid and exploitable uses of snprintf, with an easy and
lightweight API (avio_open_dyn_buf is similar, but its API is IMHO much more
cumbersome). Finding, eliminating and testing all of them takes time,
unfortunately.

Regards,

-- 
  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120909/35fba3a4/attachment.asc>


More information about the ffmpeg-devel mailing list