Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_fra…
…me_end() on error

Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Jun 15, 2017
1 parent b52b398 commit 611b356
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions libavcodec/dnxhd_parser.c
Expand Up @@ -68,16 +68,18 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
dctx->w = (state >> 32) & 0xFFFF;
} else if (dctx->cur_byte == 42) {
int cid = (state >> 32) & 0xFFFFFFFF;
int remaining;

if (cid <= 0)
continue;

dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
if (dctx->remaining <= 0) {
dctx->remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
if (dctx->remaining <= 0)
return dctx->remaining;
remaining = avpriv_dnxhd_get_frame_size(cid);
if (remaining <= 0) {
remaining = ff_dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
if (remaining <= 0)
continue;
}
dctx->remaining = remaining;
if (buf_size - i + 47 >= dctx->remaining) {
int remaining = dctx->remaining;

Expand Down

0 comments on commit 611b356

Please sign in to comment.