flashsv: Initialize the block array

Otherwise flashsv2_prime could be fed random data. Bug-Id: 908 CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Luca Barbato <lu_zero@gentoo.org> 2015-11-01 04:07:48 +0100
committer: Luca Barbato <lu_zero@gentoo.org> 2015-11-02 16:29:46 +0100
commit: 50d2a3b5f34e6f99e5ffe17f2be5eb1815555960 (patch)
tree: 6d78b8af6649b47bc6d513012c9835c5c88889e1 /libavcodec/flashsv.c
parent: de41b555cdea2dcacbe98ee9edc83a8c15c73c4c (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c
index ee854acd5c..2cf8f3f584 100644
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -339,12 +339,14 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
     s->is_keyframe = (avpkt->flags & AV_PKT_FLAG_KEY) && (s->ver == 2);
     if (s->is_keyframe) {
         int err;
+        int nb_blocks = (v_blocks + !!v_part) *
+                        (h_blocks + !!h_part) * sizeof(s->blocks[0]);
         if ((err = av_reallocp(&s->keyframedata, avpkt->size)) < 0)
             return err;
         memcpy(s->keyframedata, avpkt->data, avpkt->size);
-        if ((err = av_reallocp(&s->blocks, (v_blocks + !!v_part) *
-                               (h_blocks + !!h_part) * sizeof(s->blocks[0]))) < 0)
+        if ((err = av_reallocp(&s->blocks, nb_blocks)) < 0)
             return err;
+        memset(s->blocks, 0, nb_blocks);
     }
 
     ff_dlog(avctx, "image: %dx%d block: %dx%d num: %dx%d part: %dx%d\n",
author	Luca Barbato <lu_zero@gentoo.org>	2015-11-01 04:07:48 +0100
committer	Luca Barbato <lu_zero@gentoo.org>	2015-11-02 16:29:46 +0100
commit	50d2a3b5f34e6f99e5ffe17f2be5eb1815555960 (patch)
tree	6d78b8af6649b47bc6d513012c9835c5c88889e1 /libavcodec/flashsv.c
parent	de41b555cdea2dcacbe98ee9edc83a8c15c73c4c (diff)