pgssubdec: reset rle_data_len/rle_remaining_len on allocation error

The code relies on their validity and otherwise can try to access a NULL object->rle pointer, causing segmentation faults. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-01-31 01:55:44 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-02-01 02:28:56 +0100
commit: 1a168061da70e622d20d0cd96c99e5f741fd4f03 (patch)
tree: 0904c6dbcc74910e4603a0d73eafb53c3dfcd39f
parent: 76961f4f42d28c7b4197c2cbef8bae3dc7b67379 (diff)
download: ffmpeg-1a168061da70e622d20d0cd96c99e5f741fd4f03.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 5174d89190..222c40a377 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx,
 
     av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len);
 
-    if (!object->rle)
+    if (!object->rle) {
+        object->rle_data_len = 0;
+        object->rle_remaining_len = 0;
         return AVERROR(ENOMEM);
+    }
 
     memcpy(object->rle, buf, buf_size);
     object->rle_data_len = buf_size;
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-01-31 01:55:44 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-02-01 02:28:56 +0100
commit	1a168061da70e622d20d0cd96c99e5f741fd4f03 (patch)
tree	0904c6dbcc74910e4603a0d73eafb53c3dfcd39f
parent	76961f4f42d28c7b4197c2cbef8bae3dc7b67379 (diff)
download	ffmpeg-1a168061da70e622d20d0cd96c99e5f741fd4f03.tar.gz