| Message ID | 20191110040733.11755-1-andreas.rheinhardt@gmail.com |
|---|---|
| State | Accepted |
| Commit | 67d4940a7795aa3afc8d1e624de33b030e0be51e |
| Headers | show |
Andreas Rheinhardt: > ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags > AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both > key and value are freed on error (and owned by the destination > dictionary on success), so that freeing them again on error is a > double-free and therefore forbidden. But it nevertheless happened. > > Fixes CID 1452489 and 1452421. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavformat/id3v2.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c > index b43ab1745f..e9843eef9a 100644 > --- a/libavformat/id3v2.c > +++ b/libavformat/id3v2.c > @@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met > } > > if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { > - av_free(key); > - av_free(escaped); > return ret; > } > } > Ping. - Andreas
On Sun, Nov 10, 2019 at 05:07:28AM +0100, Andreas Rheinhardt wrote: > ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags > AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both > key and value are freed on error (and owned by the destination > dictionary on success), so that freeing them again on error is a > double-free and therefore forbidden. But it nevertheless happened. > > Fixes CID 1452489 and 1452421. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavformat/id3v2.c | 2 -- > 1 file changed, 2 deletions(-) will apply thx [...]
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index b43ab1745f..e9843eef9a 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met } if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { - av_free(key); - av_free(escaped); return ret; } }
ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both key and value are freed on error (and owned by the destination dictionary on success), so that freeing them again on error is a double-free and therefore forbidden. But it nevertheless happened. Fixes CID 1452489 and 1452421. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/id3v2.c | 2 -- 1 file changed, 2 deletions(-)