[FFmpeg-cvslog] avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error
Michael Niedermayer
git at videolan.org
Wed Jul 19 17:53:33 EEST 2017
ffmpeg | branch: release/3.3 | Michael Niedermayer <michael at niedermayer.cc> | Wed Jun 14 16:58:20 2017 +0200| [0a709e2a10b8288a0cc383547924ecfe285cef89] | committer: Michael Niedermayer
avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error
Fixes: Null pointer dereference
Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0a709e2a10b8288a0cc383547924ecfe285cef89
---
libavcodec/dnxhd_parser.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index a1f632a620..f1166be100 100644
--- a/libavcodec/dnxhd_parser.c
+++ b/libavcodec/dnxhd_parser.c
@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
dctx->w = (state >> 32) & 0xFFFF;
} else if (dctx->cur_byte == 42) {
int cid = (state >> 32) & 0xFFFFFFFF;
+ int remaining;
if (cid <= 0)
continue;
- dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
- if (dctx->remaining <= 0) {
- dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
- if (dctx->remaining <= 0)
- return dctx->remaining;
+ remaining = avpriv_dnxhd_get_frame_size(cid);
+ if (remaining <= 0) {
+ remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+ if (remaining <= 0)
+ continue;
}
+ dctx->remaining = remaining;
if (buf_size - i + 47 >= dctx->remaining) {
int remaining = dctx->remaining;
More information about the ffmpeg-cvslog
mailing list