mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-15 07:56:36 +00:00
Code Issues Releases Activity
03bf7f7434
freebsd-ports/multimedia/mythtv/files/patch-CVE-2017-11399
Jason E. Hale db032688df Update multimedia/mythtv and related ports to 29.1 [1] 
Convert multimedia/mythtv-frontend to a slave port of multimedia/mythtv
which should make future updates much easier.

Upstream security patches have been added to address known
vulnerabilities in the bundled ffmpeg 3.2.

PR:		225652 (initial patches to update to 29.0) [1]
Submitted by:	<lucylangthorne55@gmail.com> [1]
Differential Revision:	https://reviews.freebsd.org/D14563
2018-03-25 17:09:05 +00:00

50 lines
2.1 KiB
Plaintext
Raw Blame History

From 5bb861d45b86803ec39295cfc04889d2a7138361 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 16 Jul 2017 14:57:20 +0200
Subject: [PATCH] avcodec/apedec: Fix integer overflow
Fixes: out of array access
Fixes: PoC.ape and others
Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/apedec.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git libavcodec/apedec.c libavcodec/apedec.c
index b99598b4ee7..072e3b42cff 100644
--- external/FFmpeg/libavcodec/apedec.c
+++ external/FFmpeg/libavcodec/apedec.c
@@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
int32_t *sample24;
int i, ch, ret;
int blockstodecode;
+ uint64_t decoded_buffer_size;
/* this should never be negative, but bad things will happen if it is, so
check it just to make sure. */
@@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
skip_bits_long(&s->gb, offset);
}
- if (!nblocks || nblocks > INT_MAX) {
+ if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
nblocks);
return AVERROR_INVALIDDATA;
@@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
blockstodecode = s->samples;
/* reallocate decoded sample buffer if needed */
- av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
- 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
+ decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
+ av_assert0(decoded_buffer_size <= INT_MAX);
+ av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
if (!s->decoded_buffer)
return AVERROR(ENOMEM);
memset(s->decoded_buffer, 0, s->decoded_size);
Reference in New Issue View Git Blame Copy Permalink