[FFmpeg-devel] [PATCH 2/5] lavu/dict: check for malloc failures some more

Michael Niedermayer michaelni at gmx.at
Sat Dec 13 02:26:20 CET 2014 

On Fri, Dec 12, 2014 at 06:15:40PM +0100, wm4 wrote:
> This fix is rather messy because of AV_DICT_DONT_STRDUP_VAL. It's not
> even clear how this should be handled. Maybe freeing the user's data on
> failure would actually be ok.
> ---
>  libavutil/dict.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/libavutil/dict.c b/libavutil/dict.c
> index a362de0..c4b97dc 100644
> --- a/libavutil/dict.c
> +++ b/libavutil/dict.c
> @@ -72,6 +72,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value,
>      AVDictionary *m = *pm;
>      AVDictionaryEntry *tag = av_dict_get(m, key, NULL, flags);
>      char *oldval = NULL;
> +    void *tmp = NULL;
>  
>      if (!m)
>          m = *pm = av_mallocz(sizeof(*m));
> @@ -104,6 +105,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value,
>              m->elems[m->count].key = av_strdup(key);
>          if (!m->elems[m->count].key)
>              goto err_out;
> +        tmp = m->elems[m->count].key;
>          if (flags & AV_DICT_DONT_STRDUP_VAL) {
>              m->elems[m->count].value = (char*)(intptr_t)value;
>          } else if (oldval && flags & AV_DICT_APPEND) {
> @@ -117,7 +119,10 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value,
>              m->elems[m->count].value = newval;
>          } else
>              m->elems[m->count].value = av_strdup(value);
> +        if (!m->elems[m->count].value)
> +            goto err_out;
>          m->count++;
> +        tmp = NULL;
>      }
>      if (!m->count) {
>          av_free(m->elems);
> @@ -133,6 +138,7 @@ err_out:
>      }
>      if (flags & AV_DICT_DONT_STRDUP_KEY) av_free((void*)key);
>      if (flags & AV_DICT_DONT_STRDUP_VAL) av_free((void*)value);
> +    av_free(tmp);

this will/can lead to double frees

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

What does censorship reveal? It reveals fear. -- Julian Assange
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20141213/e7c53e62/attachment.asc>

More information about the ffmpeg-devel mailing list