openharmony/third_party_ffmpeg
1
0
Fork 0
mirror of https://gitee.com/openharmony/third_party_ffmpeg synced 2024-12-03 16:51:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error

Browse Source 
Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-06-14 16:58:20 +02:00
parent b52b398c30
commit 611b356274
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/dnxhd_parser.c
View File

@ -68,16 +68,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
dctx->w = (state >> 32) & 0xFFFF; dctx->w = (state >> 32) & 0xFFFF;
} else if (dctx->cur_byte == 42) { } else if (dctx->cur_byte == 42) {
int cid = (state >> 32) & 0xFFFFFFFF; int cid = (state >> 32) & 0xFFFFFFFF;
int remaining;
if (cid <= 0) if (cid <= 0)
continue; continue;
dctx->remaining = avpriv_dnxhd_get_frame_size(cid); remaining = avpriv_dnxhd_get_frame_size(cid);
if (dctx->remaining <= 0) { if (remaining <= 0) {
dctx->remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
if (dctx->remaining <= 0) if (remaining <= 0)
return dctx->remaining; continue;
} }
dctx->remaining = remaining;
if (buf_size - i + 47 >= dctx->remaining) { if (buf_size - i + 47 >= dctx->remaining) {
int remaining = dctx->remaining; int remaining = dctx->remaining;