On Fri, Dec 12, 2014 at 06:15:40PM +0100, wm4 wrote:
This fix is rather messy because of AV_DICT_DONT_STRDUP_VAL. It's not
even clear how this should be handled. Maybe freeing the user's data on
failure would actually be ok.
---
libavutil/dict.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavutil/dict.c b/libavutil/dict.c
index a362de0..c4b97dc 100644
--- a/libavutil/dict.c
+++ b/libavutil/dict.c
@@ -72,6 +72,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const
char *value,
AVDictionary *m = *pm;
AVDictionaryEntry *tag = av_dict_get(m, key, NULL, flags);
char *oldval = NULL;
+void *tmp = NULL;
if (!m)
m = *pm = av_mallocz(sizeof(*m));
@@ -104,6 +105,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const
char *value,
m-elems[m-count].key = av_strdup(key);
if (!m-elems[m-count].key)
goto err_out;
+tmp = m-elems[m-count].key;
if (flags AV_DICT_DONT_STRDUP_VAL) {
m-elems[m-count].value = (char*)(intptr_t)value;
} else if (oldval flags AV_DICT_APPEND) {
@@ -117,7 +119,10 @@ int av_dict_set(AVDictionary **pm, const char *key,
const char *value,
m-elems[m-count].value = newval;
} else
m-elems[m-count].value = av_strdup(value);
+if (!m-elems[m-count].value)
+goto err_out;
m-count++;
+tmp = NULL;
}
if (!m-count) {
av_free(m-elems);
@@ -133,6 +138,7 @@ err_out:
}
if (flags AV_DICT_DONT_STRDUP_KEY) av_free((void*)key);
if (flags AV_DICT_DONT_STRDUP_VAL) av_free((void*)value);
+av_free(tmp);
this will/can lead to double frees
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
What does censorship reveal? It reveals fear. -- Julian Assange
signature.asc
Description: Digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
