From a0254c88a4daba2128ac8e1561952a8f986c237e Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Wed, 17 Dec 2014 19:02:26 +1100
Subject: src/libFLAC/stream_decoder.c : Fix NULL de-reference.

NULL de-reference can really only happen on a malformed file.
Found using afl (http://lcamtuf.coredump.cx/afl/).
CYNGNOS-3235

Bug: 27211885
Change-Id: Iad7ced634d417df475050c8f379e0e95ec36b115
(cherry picked from commit 83a817d2002b2b439ed85c002b18666b4dcb6cfd)
(cherry picked from commit a8175b65cc0653fbecb96a05874ece7bea7053a8)
---
 libFLAC/stream_decoder.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libFLAC/stream_decoder.c b/libFLAC/stream_decoder.c
index d3ff9ee..9e27667 100644
--- a/libFLAC/stream_decoder.c
+++ b/libFLAC/stream_decoder.c
@@ -1755,8 +1755,10 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
 				}
 				else
 					length -= 4;
-				if (!FLAC__bitreader_read_uint32_little_endian(decoder->private_->input, &obj->comments[i].length))
+				if (!FLAC__bitreader_read_uint32_little_endian(decoder->private_->input, &obj->comments[i].length)) {
+					obj->num_comments = i;
 					return false; /* read_callback_ sets the state for us */
+				}
 				if (obj->comments[i].length > 0) {
 					if (length < obj->comments[i].length) {
 						obj->num_comments = i;
-- 
cgit v1.2.3