Re: [FFmpeg-devel] [PATCH 2/7] avformat/id3v2: Fix double-free on error
On Sun, Nov 10, 2019 at 05:07:28AM +0100, Andreas Rheinhardt wrote: > ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags > AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both > key and value are freed on error (and owned by the destination > dictionary on success), so that freeing them again on error is a > double-free and therefore forbidden. But it nevertheless happened. > > Fixes CID 1452489 and 1452421. > > Signed-off-by: Andreas Rheinhardt > --- > libavformat/id3v2.c | 2 -- > 1 file changed, 2 deletions(-) will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB There will always be a question for which you do not know the correct answer. signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 2/7] avformat/id3v2: Fix double-free on error
Andreas Rheinhardt: > ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags > AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both > key and value are freed on error (and owned by the destination > dictionary on success), so that freeing them again on error is a > double-free and therefore forbidden. But it nevertheless happened. > > Fixes CID 1452489 and 1452421. > > Signed-off-by: Andreas Rheinhardt > --- > libavformat/id3v2.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c > index b43ab1745f..e9843eef9a 100644 > --- a/libavformat/id3v2.c > +++ b/libavformat/id3v2.c > @@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, > ID3v2ExtraMeta **extra_met > } > > if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) > { > -av_free(key); > -av_free(escaped); > return ret; > } > } > Ping. - Andreas ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 2/7] avformat/id3v2: Fix double-free on error
ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both key and value are freed on error (and owned by the destination dictionary on success), so that freeing them again on error is a double-free and therefore forbidden. But it nevertheless happened. Fixes CID 1452489 and 1452421. Signed-off-by: Andreas Rheinhardt --- libavformat/id3v2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index b43ab1745f..e9843eef9a 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met } if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { -av_free(key); -av_free(escaped); return ret; } } -- 2.20.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".