1 files changed, 41 insertions, 0 deletions

diff --git a/multimedia/mythtv/files/patch-CVE-2017-11719 b/multimedia/mythtv/files/patch-CVE-2017-11719
new file mode 100644
index 000000000000..2633a0c962d2
--- /dev/null
+++ b/multimedia/mythtv/files/patch-CVE-2017-11719
@@ -0,0 +1,41 @@
+From 6a10b962e3053b9fc851fcce23a60ac653abdc8c Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Wed, 26 Jul 2017 03:26:59 +0200
+Subject: [PATCH] avcodec/dnxhddec: Move mb height check out of non hr branch
+
+Fixes: out of array access
+Fixes: poc.dnxhd
+
+Found-by: Bingchang, Liu@VARAS of IIE
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/dnxhddec.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git libavcodec/dnxhddec.c libavcodec/dnxhddec.c
+index 4d1b006bb50..66a0de2e627 100644
+--- external/FFmpeg/libavcodec/dnxhddec.c
++++ external/FFmpeg/libavcodec/dnxhddec.c
+@@ -294,14 +294,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
+     if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) {
+         ctx->data_offset = 0x170 + (ctx->mb_height << 2);
+     } else {
+-        if (ctx->mb_height > 68 ||
+-            (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
++        if (ctx->mb_height > 68) {
+             av_log(ctx->avctx, AV_LOG_ERROR,
+                    "mb height too big: %d\n", ctx->mb_height);
+             return AVERROR_INVALIDDATA;
+         }
+         ctx->data_offset = 0x280;
+     }
++    if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
++        av_log(ctx->avctx, AV_LOG_ERROR,
++                "mb height too big: %d\n", ctx->mb_height);
++        return AVERROR_INVALIDDATA;
++    }
+ 
+     if (buf_size < ctx->data_offset) {
+         av_log(ctx->avctx, AV_LOG_ERROR,