kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/multimedia/mythtv/files/patch-CVE-2017-11719
Jason E. Hale db032688df Update multimedia/mythtv and related ports to 29.1 [1] 
Convert multimedia/mythtv-frontend to a slave port of multimedia/mythtv
which should make future updates much easier.

Upstream security patches have been added to address known
vulnerabilities in the bundled ffmpeg 3.2.

PR:		225652 (initial patches to update to 29.0) [1]
Submitted by:	<lucylangthorne55@gmail.com> [1]
Differential Revision:	https://reviews.freebsd.org/D14563
2018-03-25 17:09:05 +00:00

41 lines
1.7 KiB
Text
Raw Permalink Blame History

From 6a10b962e3053b9fc851fcce23a60ac653abdc8c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 26 Jul 2017 03:26:59 +0200
Subject: [PATCH] avcodec/dnxhddec: Move mb height check out of non hr branch
Fixes: out of array access
Fixes: poc.dnxhd
Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/dnxhddec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git libavcodec/dnxhddec.c libavcodec/dnxhddec.c
index 4d1b006bb50..66a0de2e627 100644
--- external/FFmpeg/libavcodec/dnxhddec.c
+++ external/FFmpeg/libavcodec/dnxhddec.c
@@ -294,14 +294,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) {
ctx->data_offset = 0x170 + (ctx->mb_height << 2);
} else {
- if (ctx->mb_height > 68 ||
- (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
+ if (ctx->mb_height > 68) {
av_log(ctx->avctx, AV_LOG_ERROR,
"mb height too big: %d\n", ctx->mb_height);
return AVERROR_INVALIDDATA;
}
ctx->data_offset = 0x280;
}
+ if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
+ av_log(ctx->avctx, AV_LOG_ERROR,
+ "mb height too big: %d\n", ctx->mb_height);
+ return AVERROR_INVALIDDATA;
+ }
if (buf_size < ctx->data_offset) {
av_log(ctx->avctx, AV_LOG_ERROR,
Reference in a new issue View git blame Copy permalink