From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 18 Jul 2015 07:24:45 +0000 (+0200)
Subject: avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u3+rpi1^2~13
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=c292379e2153878b6eee274e0c95b2c5cf88a65d;p=libav.git

avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()

avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()

Avoids leaving stale pointers
Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2015-6826.patch
---

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 4ed2a33..7e445db 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1525,7 +1525,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx)
 
     if (avctx->internal->is_copy) {
         r->tmp_b_block_base = NULL;
+        r->cbp_chroma       = NULL;
+        r->cbp_luma         = NULL;
+        r->deblock_coefs    = NULL;
+        r->intra_types_hist = NULL;
+        r->mb_type          = NULL;
+
         ff_mpv_idct_init(&r->s);
+
         if ((err = ff_mpv_common_init(&r->s)) < 0)
             return err;
         if ((err = rv34_decoder_alloc(r)) < 0) {