Commit 1cfd5663 authored by Lorenz Brun's avatar Lorenz Brun Committed by Vittorio Giovara

dvbsubdec: Fixed segfault when decoding subtitles

This fixes a segfault (originally found in Movian, but traced to libav)
when decoding subtitles because only an array of rects is allocated,
but not the actual structs it contains. The issue was probably
introduced in commit 23833236 where the loop to allocate the rects in
the array was thrown away.
Signed-off-by: 's avatarVittorio Giovara <vittorio.giovara@gmail.com>
parent 3fdf50f9
...@@ -1285,13 +1285,18 @@ static int dvbsub_display_end_segment(AVCodecContext *avctx, const uint8_t *buf, ...@@ -1285,13 +1285,18 @@ static int dvbsub_display_end_segment(AVCodecContext *avctx, const uint8_t *buf,
} }
sub->num_rects = ctx->display_list_size; sub->num_rects = ctx->display_list_size;
if (sub->num_rects <= 0)
return AVERROR_INVALIDDATA;
sub->rects = av_mallocz_array(sub->num_rects * sub->num_rects, if (sub->num_rects > 0) {
sizeof(*sub->rects)); sub->rects = av_mallocz(sizeof(*sub->rects) * sub->num_rects);
if (!sub->rects) if (!sub->rects)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
for (i = 0; i < sub->num_rects; i++) {
sub->rects[i] = av_mallocz(sizeof(*sub->rects[i]));
if (!sub->rects[i]) {
return AVERROR(ENOMEM);
}
}
}
i = 0; i = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment