From 131644677970a3c4a0096270ea2a5b5d437c2e63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Thu, 15 Dec 2016 10:24:20 +0200
Subject: [PATCH] http: Check for negative chunk sizes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A negative chunk size is illegal and would end up used as
length for memcpy, where it would lead to memory accesses
out of bounds.

Found-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/http.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/http.c b/libavformat/http.c
index 8fe8d11e1e..00cf295001 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -784,8 +784,9 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
 
                 av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
                         s->chunksize);
-
-                if (!s->chunksize)
+                if (s->chunksize < 0)
+                    return AVERROR_INVALIDDATA;
+                else if (!s->chunksize)
                     return 0;
                 break;
             }