[FFmpeg-cvslog] pgssubdec: reset rle_data_len/rle_remaining_len on	allocation error
    Andreas Cadhalpun 
    git at videolan.org
       
    Wed Feb  1 03:39:29 EET 2017
    
    
  
ffmpeg | branch: release/3.0 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Tue Jan 31 01:55:44 2017 +0100| [1a168061da70e622d20d0cd96c99e5f741fd4f03] | committer: Andreas Cadhalpun
pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.
Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a168061da70e622d20d0cd96c99e5f741fd4f03
---
 libavcodec/pgssubdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 5174d89..222c40a 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx,
 
     av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len);
 
-    if (!object->rle)
+    if (!object->rle) {
+        object->rle_data_len = 0;
+        object->rle_remaining_len = 0;
         return AVERROR(ENOMEM);
+    }
 
     memcpy(object->rle, buf, buf_size);
     object->rle_data_len = buf_size;
    
    
More information about the ffmpeg-cvslog
mailing list