diracdec: clear slice_params_num_buf on allocation failure
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fri, 4 Nov 2016 18:00:01 +0000 (19:00 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Thu, 17 Nov 2016 22:13:05 +0000 (23:13 +0100)
Otherwise it can be non-zero next time decode_lowdelay is called, causing
slice_params_buf not to be allocated, leading to a NULL pointer dereference.

The problem was introduced in commit
dcad4677d637cd2f701917e38361fa96b8c9a418.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 24d20496d2e6e1df6456c5231d892269dd1fcf38)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/diracdec.c

index 5c669ff..bb314d0 100644 (file)
@@ -910,6 +910,7 @@ static int decode_lowdelay(DiracContext *s)
         s->slice_params_buf = av_realloc_f(s->slice_params_buf, s->num_x * s->num_y, sizeof(DiracSlice));
         if (!s->slice_params_buf) {
             av_log(s->avctx, AV_LOG_ERROR, "slice params buffer allocation failure\n");
+            s->slice_params_num_buf = 0;
             return AVERROR(ENOMEM);
         }
         s->slice_params_num_buf = s->num_x * s->num_y;