From 5758620560f1aa329a26ca1585dc0dbd903522c4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 10:15:29 +0200 Subject: [PATCH] avcodec/movtextdec: Reset counter of fonts when freeing them If allocating fonts fails when reading the header, all fonts are freed, yet the counter of fonts is not reset and no error is returned; when subtitles are decoded lateron, the inexistent list of fonts is searched for the matching font for this particular entry which of course leads to a segfault. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt --- libavcodec/movtextdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 4a21dbf36d..068bdb7802 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -148,6 +148,7 @@ static void mov_text_cleanup_ftab(MovTextContext *m) } } av_freep(&m->ftab); + m->ftab_entries = 0; } static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) @@ -230,7 +231,6 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) box_size += 3; if (avctx->extradata_size < box_size) { mov_text_cleanup_ftab(m); - m->ftab_entries = 0; return -1; } m->ftab_temp = av_mallocz(sizeof(*m->ftab_temp)); @@ -245,7 +245,6 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) box_size = box_size + font_length; if (avctx->extradata_size < box_size) { mov_text_cleanup_ftab(m); - m->ftab_entries = 0; return -1; } m->ftab_temp->font = av_malloc(font_length + 1);