From b8c3ad53f4a6d7880bb45c73b90320c4d10b6ea9 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 13:51:05 +0200
Subject: [PATCH 01/11] In open(), make sure flags are initialized if vf_next_query_format isn't called.

---
 libmpcodecs/vf_ass.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libmpcodecs/vf_ass.c b/libmpcodecs/vf_ass.c
index 9ce50cf..05c04ca 100644
--- a/libmpcodecs/vf_ass.c
+++ b/libmpcodecs/vf_ass.c
@@ -381,7 +381,7 @@ static unsigned int fmt_list[]={
 
 static int open(vf_instance_t *vf, char* args)
 {
-	int flags;
+	int flags = 0;
 	vf->priv->outfmt = vf_match_csp(&vf->next,fmt_list,IMGFMT_YV12);
 	if (vf->priv->outfmt)
 		flags = vf_next_query_format(vf, vf->priv->outfmt);
-- 
1.6.3.3


From 5acbc6210e69f2e01a6f8977d4ced84c6667463d Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 15:01:15 +0200
Subject: [PATCH 02/11] Fix NULL pointer dereference in fsdp_get_media_format().

---
 stream/freesdp/parser.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/stream/freesdp/parser.c b/stream/freesdp/parser.c
index 33bc1d5..c17041b 100644
--- a/stream/freesdp/parser.c
+++ b/stream/freesdp/parser.c
@@ -1644,7 +1644,7 @@ const char *
 fsdp_get_media_format (const fsdp_media_description_t * dsc,
 		       unsigned int index)
 {
-  if (!dsc && (index < dsc->formats_count))
+  if (!dsc || (index < dsc->formats_count))
     return NULL;
   return dsc->formats[index];
 }
-- 
1.6.3.3


From 39538146f3e2db471993c2c0fa78ac8599dd2b56 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 15:08:30 +0200
Subject: [PATCH 03/11] Fix NULL pointer dereference in play_tree_new().

---
 playtree.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/playtree.c b/playtree.c
index 0f3ec57..9e60420 100644
--- a/playtree.c
+++ b/playtree.c
@@ -21,8 +21,10 @@ play_tree_is_valid(play_tree_t* pt);
 play_tree_t*
 play_tree_new(void) {
   play_tree_t* r = calloc(1,sizeof(play_tree_t));
-  if(r == NULL)
+  if(r == NULL) {
     mp_msg(MSGT_PLAYTREE,MSGL_ERR,"Can't allocate %d bytes of memory\n",(int)sizeof(play_tree_t));
+    return NULL;
+  }
   r->entry_type = PLAY_TREE_ENTRY_NODE;
   return r;
 }
-- 
1.6.3.3


From 53bdbf6fbaa08ea8b2b178dd8b4b4a50d19609f0 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 15:14:00 +0200
Subject: [PATCH 04/11] Fix while condition in ShowPlayList(). It looks like a NULL pointer dereference but maybe it's just pointless

---
 gui/mplayer/gtk/pl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/gui/mplayer/gtk/pl.c b/gui/mplayer/gtk/pl.c
index 8ca2f1e..9e69ba7 100644
--- a/gui/mplayer/gtk/pl.c
+++ b/gui/mplayer/gtk/pl.c
@@ -157,7 +157,7 @@ void ShowPlayList( void )
  if ( plList )
   {
    plItem * next = plList;
-   while ( next || next->next )
+   while ( next )
     {
      char * text[1][3]; text[0][2]="";
      text[0][0]=next->name;
-- 
1.6.3.3


From d4e743ac8222ca56a0256d74a8c0ee1bb6a09896 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 15:20:20 +0200
Subject: [PATCH 05/11] Fix a NULL pointer dereference in guiGetEvent()

---
 gui/interface.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/gui/interface.c b/gui/interface.c
index 63d86cd..89b797c 100644
--- a/gui/interface.c
+++ b/gui/interface.c
@@ -765,7 +765,7 @@ int guiGetEvent( int type,char * arg )
 	     }
 	 }
 	
-	if ( !video_driver_list && !video_driver_list[0] ) { gtkMessageBox( GTK_MB_FATAL,MSGTR_IDFGCVD ); exit_player( "gui init" ); }
+	if ( !video_driver_list || !video_driver_list[0] ) { gtkMessageBox( GTK_MB_FATAL,MSGTR_IDFGCVD ); exit_player( "gui init" ); }
 
 	{
 	 int i = 0;
-- 
1.6.3.3


From 29c87fc6039a0f9a57b79a73b16c83bbbc2c17cc Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 15:42:06 +0200
Subject: [PATCH 06/11] Fix NULL pointer dereference in urarlib_list(). Not sure if this is the right fix, though.

---
 unrarlib.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/unrarlib.c b/unrarlib.c
index cc41fe3..f0fcb0d 100644
--- a/unrarlib.c
+++ b/unrarlib.c
@@ -548,6 +548,7 @@ int urarlib_list(void *rarfile, ArchiveList_struct *list)
 
     } else                                  /* add entry                    */
     {
+      (DWORD)tmp_List = (*(DWORD*)list);
       tmp_List->next = malloc(sizeof(ArchiveList_struct));
       tmp_List = (ArchiveList_struct*) tmp_List->next;
       tmp_List->next = NULL;
-- 
1.6.3.3


From 8e1f96e17d7a19a0803b281b85823b691c28a7e1 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 23 Jul 2009 15:46:04 +0200
Subject: [PATCH 07/11] Fix NULL pointer dereference in sub_unicode()

---
 libvo/font_load.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/libvo/font_load.c b/libvo/font_load.c
index bd1ed12..705b79b 100644
--- a/libvo/font_load.c
+++ b/libvo/font_load.c
@@ -327,12 +327,13 @@ return desc;
 fail_out:
   if (f)
     fclose(f);
-  if (desc->fpath)
-    free(desc->fpath);
-  if (desc->name)
-    free(desc->name);
-  if (desc)
+  if (desc) {
+    if (desc->fpath)
+      free(desc->fpath);
+    if (desc->name)
+      free(desc->name);
     free(desc);
+  }
   return NULL;
 }
 
-- 
1.6.3.3


From 8a9037c23520a5218f1ac701c3f2144537a64b48 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 29 Jul 2009 21:44:54 +0200
Subject: [PATCH 08/11] In demux_gif_fill_buffer(), make sure transparent_col is unitialized when passed to memcpy_transp_pic(), even in cases where its value will not be read.

---
 libmpdemux/demux_gif.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libmpdemux/demux_gif.c b/libmpdemux/demux_gif.c
index 13dbfb5..a8274ac 100644
--- a/libmpdemux/demux_gif.c
+++ b/libmpdemux/demux_gif.c
@@ -73,7 +73,7 @@ static int demux_gif_fill_buffer(demuxer_t *demuxer, demux_stream_t *ds)
   uint8_t *buf = NULL;
   int refmode = 0;
   int transparency = 0;
-  uint8_t transparent_col;
+  uint8_t transparent_col = 0;
 
   while (type != IMAGE_DESC_RECORD_TYPE) {
     if (DGifGetRecordType(gif, &type) == GIF_ERROR) {
-- 
1.6.3.3


From 8d9a1330c5e2c106610f3be05b039267631082e0 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 29 Jul 2009 22:02:24 +0200
Subject: [PATCH 09/11] Fix NULL pointer dereference in asx_get_element(). A bit ugly maybe.

---
 asxparser.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/asxparser.c b/asxparser.c
index 4a1f922..2811d02 100644
--- a/asxparser.c
+++ b/asxparser.c
@@ -342,7 +342,8 @@ asx_get_element(ASX_Parser_t* parser,char** _buffer,
 	}
 	if(ptr1[0] == '\n') parser->line++;
 	}
-	continue;
+	if(ptr4 != NULL)
+	  continue;
       }
       if(ptr4 == NULL || ptr4[1] == '\0') { 
 	mp_msg(MSGT_PLAYTREE,MSGL_ERR,"At line %d : EOB reached while parsing %s element body",parser->line,element);
-- 
1.6.3.3


From 19211b378d63c4cd4a878520faa92c183d41dbb0 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 29 Jul 2009 22:20:16 +0200
Subject: [PATCH 10/11] In vmd_read_header(), don't process audio streams if we previously decided that there aren't any and thus didn't initialize st and friends

---
 libavformat/sierravmd.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 1f8e434..9abdeff 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -181,6 +181,8 @@ static int vmd_read_header(AVFormatContext *s,
                 continue;
             switch(type) {
             case 1: /* Audio Chunk */
+                if(vmd->sample_rate)
+                   continue; /* We aren't expecting any. */
                 /* first audio chunk contains several audio buffers */
                 if(current_audio_pts){
                     vmd->frame_table[total_frames].frame_offset = current_offset;
-- 
1.6.3.3


From caf9621f63bafe5961ac1c25dd208b2165fd3a5c Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Mon, 3 Aug 2009 20:18:00 +0200
Subject: [PATCH 11/11] Fix NULL pointer dereference in ts_add_stream().

---
 libmpdemux/demux_ts.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/libmpdemux/demux_ts.c b/libmpdemux/demux_ts.c
index 996a957..f66fac5 100644
--- a/libmpdemux/demux_ts.c
+++ b/libmpdemux/demux_ts.c
@@ -307,13 +307,13 @@ static void ts_add_stream(demuxer_t * demuxer, ES_stream_t *es)
 			priv->ts.streams[es->pid].type = TYPE_AUDIO;
 			mp_msg(MSGT_DEMUX, MSGL_V, "\r\nADDED AUDIO PID %d, type: %x stream n. %d\r\n", es->pid, sh->format, priv->last_aid);
 			priv->last_aid++;
-		}
 
-		if(es->extradata && es->extradata_len)
-		{
-			sh->wf = (WAVEFORMATEX *) malloc(sizeof (WAVEFORMATEX) + es->extradata_len);
-			sh->wf->cbSize = es->extradata_len;
-			memcpy(sh->wf + 1, es->extradata, es->extradata_len);
+			if(es->extradata && es->extradata_len)
+			{
+				sh->wf = (WAVEFORMATEX *) malloc(sizeof (WAVEFORMATEX) + es->extradata_len);
+				sh->wf->cbSize = es->extradata_len;
+				memcpy(sh->wf + 1, es->extradata, es->extradata_len);
+			}
 		}
 	}
 
-- 
1.6.3.3