flashsv: Initialize the block array

Message ID 20151102200515.6F6175DAAE@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Nov. 2, 2015, 8:05 p.m.
Module: libav
Branch: master
Commit: 50d2a3b5f34e6f99e5ffe17f2be5eb1815555960

Author:    Luca Barbato <lu_zero@gentoo.org>
Committer: Luca Barbato <lu_zero@gentoo.org>
Date:      Sun Nov  1 04:07:48 2015 +0100

flashsv: Initialize the block array

Otherwise flashsv2_prime could be fed random data.

Bug-Id: 908
CC: libav-stable@libav.org

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

---

 libavcodec/flashsv.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Patch

diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c
index ee854ac..2cf8f3f 100644
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -339,12 +339,14 @@  static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
     s->is_keyframe = (avpkt->flags & AV_PKT_FLAG_KEY) && (s->ver == 2);
     if (s->is_keyframe) {
         int err;
+        int nb_blocks = (v_blocks + !!v_part) *
+                        (h_blocks + !!h_part) * sizeof(s->blocks[0]);
         if ((err = av_reallocp(&s->keyframedata, avpkt->size)) < 0)
             return err;
         memcpy(s->keyframedata, avpkt->data, avpkt->size);
-        if ((err = av_reallocp(&s->blocks, (v_blocks + !!v_part) *
-                               (h_blocks + !!h_part) * sizeof(s->blocks[0]))) < 0)
+        if ((err = av_reallocp(&s->blocks, nb_blocks)) < 0)
             return err;
+        memset(s->blocks, 0, nb_blocks);
     }
 
     ff_dlog(avctx, "image: %dx%d block: %dx%d num: %dx%d part: %dx%d\n",