[FFmpeg-devel] [PATCH 2/7] avformat/id3v2: Fix double-free on error
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Sun Dec 8 00:27:00 EET 2019
Andreas Rheinhardt:
> ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags
> AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both
> key and value are freed on error (and owned by the destination
> dictionary on success), so that freeing them again on error is a
> double-free and therefore forbidden. But it nevertheless happened.
>
> Fixes CID 1452489 and 1452421.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---
> libavformat/id3v2.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
> index b43ab1745f..e9843eef9a 100644
> --- a/libavformat/id3v2.c
> +++ b/libavformat/id3v2.c
> @@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met
> }
>
> if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) {
> - av_free(key);
> - av_free(escaped);
> return ret;
> }
> }
>
Ping.
- Andreas
More information about the ffmpeg-devel
mailing list