Changeset View
Changeset View
Standalone View
Standalone View
head/multimedia/mythtv/files/patch-CVE-2017-11719
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
From 6a10b962e3053b9fc851fcce23a60ac653abdc8c Mon Sep 17 00:00:00 2001 | |||||
From: Michael Niedermayer <michael@niedermayer.cc> | |||||
Date: Wed, 26 Jul 2017 03:26:59 +0200 | |||||
Subject: [PATCH] avcodec/dnxhddec: Move mb height check out of non hr branch | |||||
Fixes: out of array access | |||||
Fixes: poc.dnxhd | |||||
Found-by: Bingchang, Liu@VARAS of IIE | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92) | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
--- | |||||
libavcodec/dnxhddec.c | 8 ++++++-- | |||||
1 file changed, 6 insertions(+), 2 deletions(-) | |||||
diff --git libavcodec/dnxhddec.c libavcodec/dnxhddec.c | |||||
index 4d1b006bb50..66a0de2e627 100644 | |||||
--- external/FFmpeg/libavcodec/dnxhddec.c | |||||
+++ external/FFmpeg/libavcodec/dnxhddec.c | |||||
@@ -294,14 +294,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, | |||||
if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) { | |||||
ctx->data_offset = 0x170 + (ctx->mb_height << 2); | |||||
} else { | |||||
- if (ctx->mb_height > 68 || | |||||
- (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { | |||||
+ if (ctx->mb_height > 68) { | |||||
av_log(ctx->avctx, AV_LOG_ERROR, | |||||
"mb height too big: %d\n", ctx->mb_height); | |||||
return AVERROR_INVALIDDATA; | |||||
} | |||||
ctx->data_offset = 0x280; | |||||
} | |||||
+ if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { | |||||
+ av_log(ctx->avctx, AV_LOG_ERROR, | |||||
+ "mb height too big: %d\n", ctx->mb_height); | |||||
+ return AVERROR_INVALIDDATA; | |||||
+ } | |||||
if (buf_size < ctx->data_offset) { | |||||
av_log(ctx->avctx, AV_LOG_ERROR, |