freebsd-ports/multimedia/mythtv/files/patch-CVE-2017-09608c

From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 14 Jun 2017 16:58:20 +0200
Subject: [PATCH] avcodec/dnxhd_parser: Do not return invalid value from
 dnxhd_find_frame_end() on error

Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dnxhd_parser.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index a1f632a620e..f1166be1007 100644
--- external/FFmpeg/libavcodec/dnxhd_parser.c
+++ external/FFmpeg/libavcodec/dnxhd_parser.c
@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                 dctx->w = (state >> 32) & 0xFFFF;
             } else if (dctx->cur_byte == 42) {
                 int cid = (state >> 32) & 0xFFFFFFFF;
+                int remaining;
 
                 if (cid <= 0)
                     continue;
 
-                dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
-                if (dctx->remaining <= 0) {
-                    dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
-                    if (dctx->remaining <= 0)
-                        return dctx->remaining;
+                remaining = avpriv_dnxhd_get_frame_size(cid);
+                if (remaining <= 0) {
+                    remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+                    if (remaining <= 0)
+                        continue;
                 }
+                dctx->remaining = remaining;
                 if (buf_size - i + 47 >= dctx->remaining) {
                     int remaining = dctx->remaining;
Update multimedia/mythtv and related ports to 29.1 [1] Convert multimedia/mythtv-frontend to a slave port of multimedia/mythtv which should make future updates much easier. Upstream security patches have been added to address known vulnerabilities in the bundled ffmpeg 3.2. PR: 225652 (initial patches to update to 29.0) [1] Submitted by: <lucylangthorne55@gmail.com> [1] Differential Revision: https://reviews.freebsd.org/D14563 2018-03-25 19:09:05 +02:00			`From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001`
			`From: Michael Niedermayer <michael@niedermayer.cc>`
			`Date: Wed, 14 Jun 2017 16:58:20 +0200`
			`Subject: [PATCH] avcodec/dnxhd_parser: Do not return invalid value from`
			`dnxhd_find_frame_end() on error`

			`Fixes: Null pointer dereference`

			`Fixes: CVE-2017-9608`
			`Found-by: Yihan Lian`
			`Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>`
			`(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)`
			`Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>`
			`---`
			`libavcodec/dnxhd_parser.c \| 12 +++++++-----`
			`1 file changed, 7 insertions(+), 5 deletions(-)`

			`diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c`
			`index a1f632a620e..f1166be1007 100644`
			`--- external/FFmpeg/libavcodec/dnxhd_parser.c`
			`+++ external/FFmpeg/libavcodec/dnxhd_parser.c`
			`@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,`
			`dctx->w = (state >> 32) & 0xFFFF;`
			`} else if (dctx->cur_byte == 42) {`
			`int cid = (state >> 32) & 0xFFFFFFFF;`
			`+ int remaining;`

			`if (cid <= 0)`
			`continue;`

			`- dctx->remaining = avpriv_dnxhd_get_frame_size(cid);`
			`- if (dctx->remaining <= 0) {`
			`- dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);`
			`- if (dctx->remaining <= 0)`
			`- return dctx->remaining;`
			`+ remaining = avpriv_dnxhd_get_frame_size(cid);`
			`+ if (remaining <= 0) {`
			`+ remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);`
			`+ if (remaining <= 0)`
			`+ continue;`
			`}`
			`+ dctx->remaining = remaining;`
			`if (buf_size - i + 47 >= dctx->remaining) {`
			`int remaining = dctx->remaining;`