[libav-bugs] [Bug 1038] New: dvbsub decoder crash in dvbsub_display_end_segment

bugzilla at libav.org bugzilla at libav.org
Mon Mar 20 16:28:22 CET 2017


https://bugzilla.libav.org/show_bug.cgi?id=1038

            Bug ID: 1038
           Summary: dvbsub decoder crash in dvbsub_display_end_segment
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Windows
            Status: NEW
          Severity: critical
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: info at domoticz.com

When i call 'avcodec_decode_subtitle2' with valid subtitle data, i directly
receive a crash in

dvbsubdec.c/dvbsub_display_end_segment

It is crashing because sub->rects[i] is NULL

Not sure what is going on here with the call to

sub->rects = av_mallocz_array(sub->num_rects * sub->num_rects,
                                  sizeof(*sub->rects));

but in the next for loop, i have to allocate the rect before using it like (~
line 1296):

        if (sub->rects[i] == NULL)
            sub->rects[i] = av_mallocz(sizeof(AVSubtitleRect));
        if (sub->rects[i] == NULL)
            continue;

        rect = sub->rects[i];

After this, all is working well.

Not sure if i just created a memory leak, but it looks 'avsubtitle_free' is
also freeing this pointer.
Maybe the alloc call got lost a while ago ?

Or is it a windows problem ? (Compiled with VS2017)

Would be great if someone could confirm if my patch is correct, or if something
else goes wrong.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170320/22cb5913/attachment.html>


More information about the libav-bugs mailing list