kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/multimedia/mythtv/files/patch-CVE-2017-09608c
Jason E. Hale db032688df Update multimedia/mythtv and related ports to 29.1 [1] 
Convert multimedia/mythtv-frontend to a slave port of multimedia/mythtv
which should make future updates much easier.

Upstream security patches have been added to address known
vulnerabilities in the bundled ffmpeg 3.2.

PR:		225652 (initial patches to update to 29.0) [1]
Submitted by:	<lucylangthorne55@gmail.com> [1]
Differential Revision:	https://reviews.freebsd.org/D14563
2018-03-25 17:09:05 +00:00

45 lines
1.8 KiB
Text
Raw Permalink Blame History

From 0a709e2a10b8288a0cc383547924ecfe285cef89 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 14 Jun 2017 16:58:20 +0200
Subject: [PATCH] avcodec/dnxhd_parser: Do not return invalid value from
dnxhd_find_frame_end() on error
Fixes: Null pointer dereference
Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/dnxhd_parser.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index a1f632a620e..f1166be1007 100644
--- external/FFmpeg/libavcodec/dnxhd_parser.c
+++ external/FFmpeg/libavcodec/dnxhd_parser.c
@@ -81,16 +81,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
dctx->w = (state >> 32) & 0xFFFF;
} else if (dctx->cur_byte == 42) {
int cid = (state >> 32) & 0xFFFFFFFF;
+ int remaining;
if (cid <= 0)
continue;
- dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
- if (dctx->remaining <= 0) {
- dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
- if (dctx->remaining <= 0)
- return dctx->remaining;
+ remaining = avpriv_dnxhd_get_frame_size(cid);
+ if (remaining <= 0) {
+ remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+ if (remaining <= 0)
+ continue;
}
+ dctx->remaining = remaining;
if (buf_size - i + 47 >= dctx->remaining) {
int remaining = dctx->remaining;
Reference in a new issue View git blame Copy permalink