Skip to content

Commit 31c1c0b

Browse files
committed
avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error
Fixes: Null pointer dereference Fixes: CVE-2017-9608 Found-by: Yihan Lian Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 611b356) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent 6d77a3f commit 31c1c0b

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

Diff for: libavcodec/dnxhd_parser.c

+7-5
Original file line numberDiff line numberDiff line change
@@ -87,16 +87,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
8787
dctx->w = (state >> 32) & 0xFFFF;
8888
} else if (dctx->cur_byte == 42) {
8989
int cid = (state >> 32) & 0xFFFFFFFF;
90+
int remaining;
9091

9192
if (cid <= 0)
9293
continue;
9394

94-
dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
95-
if (dctx->remaining <= 0) {
96-
dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
97-
if (dctx->remaining <= 0)
98-
return dctx->remaining;
95+
remaining = avpriv_dnxhd_get_frame_size(cid);
96+
if (remaining <= 0) {
97+
remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
98+
if (remaining <= 0)
99+
continue;
99100
}
101+
dctx->remaining = remaining;
100102
if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
101103
int remaining = dctx->remaining;
102104

0 commit comments

Comments
 (0)