Skip to content

F
ffmpeg
Commit 31c1c0b4 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error 

Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 611b3562)
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 6d77a3ff
Hide whitespace changes
Inline Side-by-side
Showing with 7 additions and 5 deletions
libavcodec/dnxhd_parser.c
View file @ 31c1c0b4
...@@ -87,16 +87,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, ...@@ -87,16 +87,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
dctx->w = (state >> 32) & 0xFFFF; dctx->w = (state >> 32) & 0xFFFF;
} else if (dctx->cur_byte == 42) { } else if (dctx->cur_byte == 42) {
int cid = (state >> 32) & 0xFFFFFFFF; int cid = (state >> 32) & 0xFFFFFFFF;
int remaining;
if (cid <= 0) if (cid <= 0)
continue; continue;
dctx->remaining = avpriv_dnxhd_get_frame_size(cid); remaining = avpriv_dnxhd_get_frame_size(cid);
if (dctx->remaining <= 0) { if (remaining <= 0) {
dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
if (dctx->remaining <= 0) if (remaining <= 0)
return dctx->remaining; continue;
} }
dctx->remaining = remaining;
if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) { if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
int remaining = dctx->remaining; int remaining = dctx->remaining;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment