From 2129b5518be9e4c1dba4e61179b3bc0196b285e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 09:24:45 +0200 Subject: [PATCH] avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() Avoids leaving stale pointers Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Gbp-Pq: Name CVE-2015-6826.patch --- libavcodec/rv34.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 4ed2a33..7e445db 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1525,7 +1525,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) if (avctx->internal->is_copy) { r->tmp_b_block_base = NULL; + r->cbp_chroma = NULL; + r->cbp_luma = NULL; + r->deblock_coefs = NULL; + r->intra_types_hist = NULL; + r->mb_type = NULL; + ff_mpv_idct_init(&r->s); + if ((err = ff_mpv_common_init(&r->s)) < 0) return err; if ((err = rv34_decoder_alloc(r)) < 0) { -- 2.30.2