From b9a24cee3ba0c0b27a41d71cde5f002296d10e86 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Fri, 4 Nov 2016 19:00:01 +0100
Subject: [PATCH] diracdec: clear slice_params_num_buf on allocation failure

Otherwise it can be non-zero next time decode_lowdelay is called, causing
slice_params_buf not to be allocated, leading to a NULL pointer dereference.

The problem was introduced in commit
dcad4677d637cd2f701917e38361fa96b8c9a418.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 24d20496d2e6e1df6456c5231d892269dd1fcf38)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/diracdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 5c669ffdee..bb314d0df6 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -910,6 +910,7 @@ static int decode_lowdelay(DiracContext *s)
         s->slice_params_buf = av_realloc_f(s->slice_params_buf, s->num_x * s->num_y, sizeof(DiracSlice));
         if (!s->slice_params_buf) {
             av_log(s->avctx, AV_LOG_ERROR, "slice params buffer allocation failure\n");
+            s->slice_params_num_buf = 0;
             return AVERROR(ENOMEM);
         }
         s->slice_params_num_buf = s->num_x * s->num_y;