Changeset View
Changeset View
Standalone View
Standalone View
head/multimedia/mythtv/files/patch-CVE-2017-09608c
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001 | |||||
From: Michael Niedermayer <michael@niedermayer.cc> | |||||
Date: Wed, 14 Jun 2017 16:58:20 +0200 | |||||
Subject: [PATCH] avcodec/dnxhd_parser: Do not return invalid value from | |||||
dnxhd_find_frame_end() on error | |||||
Fixes: Null pointer dereference | |||||
Fixes: CVE-2017-9608 | |||||
Found-by: Yihan Lian | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd) | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
--- | |||||
libavcodec/dnxhd_parser.c | 12 +++++++----- | |||||
1 file changed, 7 insertions(+), 5 deletions(-) | |||||
diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c | |||||
index a1f632a620e..f1166be1007 100644 | |||||
--- external/FFmpeg/libavcodec/dnxhd_parser.c | |||||
+++ external/FFmpeg/libavcodec/dnxhd_parser.c | |||||
@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, | |||||
dctx->w = (state >> 32) & 0xFFFF; | |||||
} else if (dctx->cur_byte == 42) { | |||||
int cid = (state >> 32) & 0xFFFFFFFF; | |||||
+ int remaining; | |||||
if (cid <= 0) | |||||
continue; | |||||
- dctx->remaining = avpriv_dnxhd_get_frame_size(cid); | |||||
- if (dctx->remaining <= 0) { | |||||
- dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); | |||||
- if (dctx->remaining <= 0) | |||||
- return dctx->remaining; | |||||
+ remaining = avpriv_dnxhd_get_frame_size(cid); | |||||
+ if (remaining <= 0) { | |||||
+ remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); | |||||
+ if (remaining <= 0) | |||||
+ continue; | |||||
} | |||||
+ dctx->remaining = remaining; | |||||
if (buf_size - i + 47 >= dctx->remaining) { | |||||
int remaining = dctx->remaining; | |||||