[FFmpeg-cvslog] avformat/id3v2: Fix double-free on error

[Andreas Rheinhardt]

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Sun Nov 10 05:07:28 2019 +0100| [67d4940a7795aa3afc8d1e624de33b030e0be51e] | committer: Michael Niedermayer

avformat/id3v2: Fix double-free on error

ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags
AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both
key and value are freed on error (and owned by the destination
dictionary on success), so that freeing them again on error is a
double-free and therefore forbidden. But it nevertheless happened.

Fixes CID 1452489 and 1452421.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67d4940a7795aa3afc8d1e624de33b030e0be51e
---

 libavformat/id3v2.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 7bae036635..abe073dcc1 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -1264,8 +1264,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met
             }
 
             if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) {
-                av_free(key);
-                av_free(escaped);
                 return ret;
             }
         }