[FFmpeg-cvslog] avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error

Michael Niedermayer git at videolan.org
Fri Jun 16 01:23:40 EEST 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Jun 14 16:58:20 2017 +0200| [611b35627488a8d0763e75c25ee0875c5b7987dd] | committer: Michael Niedermayer

avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error

Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=611b35627488a8d0763e75c25ee0875c5b7987dd
---

 libavcodec/dnxhd_parser.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index d9914121a0..79ca1d6718 100644
--- a/libavcodec/dnxhd_parser.c
+++ b/libavcodec/dnxhd_parser.c
@@ -68,16 +68,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                 dctx->w = (state >> 32) & 0xFFFF;
             } else if (dctx->cur_byte == 42) {
                 int cid = (state >> 32) & 0xFFFFFFFF;
+                int remaining;
 
                 if (cid <= 0)
                     continue;
 
-                dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
-                if (dctx->remaining <= 0) {
-                    dctx->remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
-                    if (dctx->remaining <= 0)
-                        return dctx->remaining;
+                remaining = avpriv_dnxhd_get_frame_size(cid);
+                if (remaining <= 0) {
+                    remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+                    if (remaining <= 0)
+                        continue;
                 }
+                dctx->remaining = remaining;
                 if (buf_size - i + 47 >= dctx->remaining) {
                     int remaining = dctx->remaining;
 



More information about the ffmpeg-cvslog mailing list