avformat/id3v2: Fix double-free on error

ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags
AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both
key and value are freed on error (and owned by the destination
dictionary on success), so that freeing them again on error is a
double-free and therefore forbidden. But it nevertheless happened.

Fixes CID 1452489 and 1452421.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67d4940a77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Andreas Rheinhardt 2019-11-10 05:07:28 +01:00 committed by Michael Niedermayer
parent 96e1ca6e05
commit d39a058707
1 changed files with 0 additions and 2 deletions

View File

@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met
} }
if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) {
av_free(key);
av_free(escaped);
return ret; return ret;
} }
} }