[FFmpeg-cvslog] avformat/rtpdec_h264: fix null pointer dereferences

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Dec 13 01:27:26 2013 +0100| [c5f15f40b9b25f033fd9e8dd1e12763913098c11] | committer: Michael Niedermayer

avformat/rtpdec_h264: fix null pointer dereferences

Fixes CID733716

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c5f15f40b9b25f033fd9e8dd1e12763913098c11
---

 libavformat/rtpdec_h264.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c
index be657c0..8b9300e 100644
--- a/libavformat/rtpdec_h264.c
+++ b/libavformat/rtpdec_h264.c
@@ -190,7 +190,8 @@ static int h264_handle_packet(AVFormatContext *ctx, PayloadContext *data,
     switch (type) {
     case 0:                    // undefined, but pass them through
     case 1:
-        av_new_packet(pkt, len + sizeof(start_sequence));
+        if ((result = av_new_packet(pkt, len + sizeof(start_sequence))) < 0)
+            return result;
         memcpy(pkt->data, start_sequence, sizeof(start_sequence));
         memcpy(pkt->data + sizeof(start_sequence), buf, len);
         COUNT_NAL_TYPE(data, nal);
@@ -292,12 +293,14 @@ static int h264_handle_packet(AVFormatContext *ctx, PayloadContext *data,
                 COUNT_NAL_TYPE(data, nal_type);
             if (start_bit) {
                 /* copy in the start sequence, and the reconstructed nal */
-                av_new_packet(pkt, sizeof(start_sequence) + sizeof(nal) + len);
+                if ((result = av_new_packet(pkt, sizeof(start_sequence) + sizeof(nal) + len)) < 0)
+                    return result;
                 memcpy(pkt->data, start_sequence, sizeof(start_sequence));
                 pkt->data[sizeof(start_sequence)] = reconstructed_nal;
                 memcpy(pkt->data + sizeof(start_sequence) + sizeof(nal), buf, len);
             } else {
-                av_new_packet(pkt, len);
+                if ((result = av_new_packet(pkt, len)) < 0)
+                    return result;
                 memcpy(pkt->data, buf, len);
             }
         } else {