On Fri, Dec 12, 2014 at 06:15:40PM +0100, wm4 wrote: > This fix is rather messy because of AV_DICT_DONT_STRDUP_VAL. It's not > even clear how this should be handled. Maybe freeing the user's data on > failure would actually be ok. > --- > libavutil/dict.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/libavutil/dict.c b/libavutil/dict.c > index a362de0..c4b97dc 100644 > --- a/libavutil/dict.c > +++ b/libavutil/dict.c > @@ -72,6 +72,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const > char *value, > AVDictionary *m = *pm; > AVDictionaryEntry *tag = av_dict_get(m, key, NULL, flags); > char *oldval = NULL; > + void *tmp = NULL; > > if (!m) > m = *pm = av_mallocz(sizeof(*m)); > @@ -104,6 +105,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const > char *value, > m->elems[m->count].key = av_strdup(key); > if (!m->elems[m->count].key) > goto err_out; > + tmp = m->elems[m->count].key; > if (flags & AV_DICT_DONT_STRDUP_VAL) { > m->elems[m->count].value = (char*)(intptr_t)value; > } else if (oldval && flags & AV_DICT_APPEND) { > @@ -117,7 +119,10 @@ int av_dict_set(AVDictionary **pm, const char *key, > const char *value, > m->elems[m->count].value = newval; > } else > m->elems[m->count].value = av_strdup(value); > + if (!m->elems[m->count].value) > + goto err_out; > m->count++; > + tmp = NULL; > } > if (!m->count) { > av_free(m->elems); > @@ -133,6 +138,7 @@ err_out: > } > if (flags & AV_DICT_DONT_STRDUP_KEY) av_free((void*)key); > if (flags & AV_DICT_DONT_STRDUP_VAL) av_free((void*)value); > + av_free(tmp);
this will/can lead to double frees [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB What does censorship reveal? It reveals fear. -- Julian Assange
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel