Module: libav Branch: release/12 Commit: 2661e897db07c55e79dc6e9d15663bc9d6f304e6
Author: Lorenz Brun <lor...@dolansoft.org> Committer: Diego Biurrun <di...@biurrun.de> Date: Fri Oct 21 22:51:37 2016 +0200 dvbsubdec: Fixed segfault when decoding subtitles This fixes a segfault (originally found in Movian, but traced to libav) when decoding subtitles because only an array of rects is allocated, but not the actual structs it contains. The issue was probably introduced in commit 2383323 where the loop to allocate the rects in the array was thrown away. Signed-off-by: Vittorio Giovara <vittorio.giov...@gmail.com> (cherry picked from commit 1cfd566324f4a9be066ea400685b81c0695e64d9) Signed-off-by: Diego Biurrun <di...@biurrun.de> --- libavcodec/dvbsubdec.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index ccdfc01..01f0560 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1281,13 +1281,18 @@ static int dvbsub_display_end_segment(AVCodecContext *avctx, const uint8_t *buf, } sub->num_rects = ctx->display_list_size; - if (sub->num_rects <= 0) - return AVERROR_INVALIDDATA; - sub->rects = av_mallocz_array(sub->num_rects * sub->num_rects, - sizeof(*sub->rects)); - if (!sub->rects) - return AVERROR(ENOMEM); + if (sub->num_rects > 0) { + sub->rects = av_mallocz(sizeof(*sub->rects) * sub->num_rects); + if (!sub->rects) + return AVERROR(ENOMEM); + for (i = 0; i < sub->num_rects; i++) { + sub->rects[i] = av_mallocz(sizeof(*sub->rects[i])); + if (!sub->rects[i]) { + return AVERROR(ENOMEM); + } + } + } i = 0; _______________________________________________ libav-commits mailing list libav-commits@libav.org https://lists.libav.org/mailman/listinfo/libav-commits