pgssubdec: reset rle_data_len/rle_remaining_len on allocation error

The code relies on their validity and otherwise can try to access a NULL object->rle pointer, causing segmentation faults. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-01-31 01:55:44 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-02-01 02:28:09 +0100
commit: 83269fd13b79e19e02e23755e68377f2f60817a4 (patch)
tree: a6252b1ad4d230523e1d554932a26bdae1915a92
parent: 884cd3caa5cc111daaa4ff2ca05c99e05a713e47 (diff)
download: ffmpeg-83269fd13b79e19e02e23755e68377f2f60817a4.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index b50b37b206..b897d72aab 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx,
 
     av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len);
 
-    if (!object->rle)
+    if (!object->rle) {
+        object->rle_data_len = 0;
+        object->rle_remaining_len = 0;
         return AVERROR(ENOMEM);
+    }
 
     memcpy(object->rle, buf, buf_size);
     object->rle_data_len = buf_size;
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-01-31 01:55:44 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-02-01 02:28:09 +0100
commit	83269fd13b79e19e02e23755e68377f2f60817a4 (patch)
tree	a6252b1ad4d230523e1d554932a26bdae1915a92
parent	884cd3caa5cc111daaa4ff2ca05c99e05a713e47 (diff)
download	ffmpeg-83269fd13b79e19e02e23755e68377f2f60817a4.tar.gz