matroskadec: prevent access of elements after freeing

Using the decode interrupt feature of ffmpeg may cause crashes by
accessing previously freed pointers in matroska_read_close.

To prevent this reset nb_elem to zero after freeing the elements,
because ffmpeg normally tests for nb_elem.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index f79511e4f1ee3b7668bdd77e98e11f43e4a070a3..d96e861c48905160b1183098848f966dba6dc204 100644 (file)
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1237,6 +1237,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data)
                      j++, ptr += syntax[i].list_elem_size)
                     ebml_free(syntax[i].def.n, ptr);
                 av_freep(&list->elem);
+                list->nb_elem = 0;
             } else
                 ebml_free(syntax[i].def.n, data_off);
         default: