Skip to content

Commit 611b356

Browse files
committed
avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error
Fixes: Null pointer dereference Fixes: CVE-2017-9608 Found-by: Yihan Lian Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent b52b398 commit 611b356

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

Diff for: libavcodec/dnxhd_parser.c

+7-5
Original file line numberDiff line numberDiff line change
@@ -68,16 +68,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
6868
dctx->w = (state >> 32) & 0xFFFF;
6969
} else if (dctx->cur_byte == 42) {
7070
int cid = (state >> 32) & 0xFFFFFFFF;
71+
int remaining;
7172

7273
if (cid <= 0)
7374
continue;
7475

75-
dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
76-
if (dctx->remaining <= 0) {
77-
dctx->remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
78-
if (dctx->remaining <= 0)
79-
return dctx->remaining;
76+
remaining = avpriv_dnxhd_get_frame_size(cid);
77+
if (remaining <= 0) {
78+
remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
79+
if (remaining <= 0)
80+
continue;
8081
}
82+
dctx->remaining = remaining;
8183
if (buf_size - i + 47 >= dctx->remaining) {
8284
int remaining = dctx->remaining;
8385

0 commit comments

Comments
 (0)