Module: libav Branch: release/11 Commit: 8a5c24d9ea8f85029d1a9eeca3710e44cb60e227
Author: Lorenz Brun <[email protected]> Committer: Sean McGovern <[email protected]> Date: Fri Oct 21 22:51:37 2016 +0200 dvbsubdec: Fixed segfault when decoding subtitles This fixes a segfault (originally found in Movian, but traced to libav) when decoding subtitles because only an array of rects is allocated, but not the actual structs it contains. The issue was probably introduced in commit 2383323 where the loop to allocate the rects in the array was thrown away. Signed-off-by: Vittorio Giovara <[email protected]> (cherry picked from commit 1cfd566324f4a9be066ea400685b81c0695e64d9) Signed-off-by: Sean McGovern <[email protected]> --- libavcodec/dvbsubdec.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 1be7f14..3430687 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1321,13 +1321,18 @@ static int dvbsub_display_end_segment(AVCodecContext *avctx, const uint8_t *buf, } sub->num_rects = ctx->display_list_size; - if (sub->num_rects <= 0) - return AVERROR_INVALIDDATA; - sub->rects = av_mallocz_array(sub->num_rects * sub->num_rects, - sizeof(*sub->rects)); - if (!sub->rects) - return AVERROR(ENOMEM); + if (sub->num_rects > 0) { + sub->rects = av_mallocz(sizeof(*sub->rects) * sub->num_rects); + if (!sub->rects) + return AVERROR(ENOMEM); + for (i = 0; i < sub->num_rects; i++) { + sub->rects[i] = av_mallocz(sizeof(*sub->rects[i])); + if (!sub->rects[i]) { + return AVERROR(ENOMEM); + } + } + } i = 0; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
