1 files changed, 40 insertions, 0 deletions

diff --git a/multimedia/mythtv/files/patch-CVE-2016-10192 b/multimedia/mythtv/files/patch-CVE-2016-10192
new file mode 100644
index 000000000000..f2d9c9a9fbe4
--- /dev/null
+++ b/multimedia/mythtv/files/patch-CVE-2016-10192
@@ -0,0 +1,40 @@
+From c12ee64e80af2517005231388fdf4ea78f16bb0e Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 5 Dec 2016 17:27:45 +0100
+Subject: [PATCH] ffserver: Check chunk size
+
+Fixes out of array access
+
+Fixes: poc_ffserver.py
+Found-by: Paul Cher <paulcher@icloud.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ ffserver.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git ffserver.c ffserver.c
+index 453d790e6cd..aec808e78cb 100644
+--- external/FFmpeg/ffserver.c.orig
++++ external/FFmpeg/ffserver.c
+@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c)
+         } else if (c->buffer_ptr - c->buffer >= 2 &&
+                    !memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
+             c->chunk_size = strtol(c->buffer, 0, 16);
+-            if (c->chunk_size == 0) // end of stream
++            if (c->chunk_size <= 0) { // end of stream or invalid chunk size
++                c->chunk_size = 0;
+                 goto fail;
++            }
+             c->buffer_ptr = c->buffer;
+             break;
+         } else if (++loop_run > 10)
+@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c)
+             /* end of connection : close it */
+             goto fail;
+         else {
++            av_assert0(len <= c->chunk_size);
+             c->chunk_size -= len;
+             c->buffer_ptr += len;
+             c->data_count += len;