| Message ID | 3335367d-e47e-6ac3-2f9e-6a46266b2ce6@googlemail.com |
|---|---|
| State | Accepted |
| Commit | 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4 |
| Headers | show |
On Tue, Jan 31, 2017 at 01:59:38AM +0100, Andreas Cadhalpun wrote: > The code relies on their validity and otherwise can try to access a NULL > object->rle pointer, causing segmentation faults. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavcodec/pgssubdec.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) LGTM please also backport this to the releases thx [...]
On 31.01.2017 15:13, Michael Niedermayer wrote: > On Tue, Jan 31, 2017 at 01:59:38AM +0100, Andreas Cadhalpun wrote: >> The code relies on their validity and otherwise can try to access a NULL >> object->rle pointer, causing segmentation faults. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/pgssubdec.c | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) > > LGTM Pushed. > please also backport this to the releases Will do. Best regards, Andreas
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index b50b37b206..b897d72aab 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx, av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len); - if (!object->rle) + if (!object->rle) { + object->rle_data_len = 0; + object->rle_remaining_len = 0; return AVERROR(ENOMEM); + } memcpy(object->rle, buf, buf_size); object->rle_data_len = buf_size;
The code relies on their validity and otherwise can try to access a NULL object->rle pointer, causing segmentation faults. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/pgssubdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)