pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 31 Jan 2017 00:55:44 +0000 (01:55 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Wed, 1 Feb 2017 01:29:08 +0000 (02:29 +0100)
The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/pgssubdec.c

index 6ff6cc4..b549ff2 100644 (file)
@@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx,
 
     av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len);
 
-    if (!object->rle)
+    if (!object->rle) {
+        object->rle_data_len = 0;
+        object->rle_remaining_len = 0;
         return AVERROR(ENOMEM);
+    }
 
     memcpy(object->rle, buf, buf_size);
     object->rle_data_len = buf_size;