avformat/aviobuf: fix double free by return early on error

Because the s->buffer has been freed by av_freep in avio_closep.
It should not av_freep the buffer in label fail after avio_closep.
Then just move the av_freep before avio_closep and remove the label fail.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Reviewed-by: Zhao Zhili <zhilizhao@tencent.com>
Signed-off-by: Steven Liu <liuqi05@kuaishou.com>

1 files changed, 6 insertions, 8 deletions

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 969c127b23..14d4b8f240 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -977,18 +977,19 @@ int ffio_fdopen(AVIOContext **s, URLContext *h)
                             (int (*)(void *, uint8_t *, int))  ffurl_read,
                             (int (*)(void *, uint8_t *, int))  ffurl_write,
                             (int64_t (*)(void *, int64_t, int))ffurl_seek);
-    if (!*s)
-        goto fail;
-
+    if (!*s) {
+        av_freep(&buffer);
+        return AVERROR(ENOMEM);
+    }
     (*s)->protocol_whitelist = av_strdup(h->protocol_whitelist);
     if (!(*s)->protocol_whitelist && h->protocol_whitelist) {
         avio_closep(s);
-        goto fail;
+        return AVERROR(ENOMEM);
     }
     (*s)->protocol_blacklist = av_strdup(h->protocol_blacklist);
     if (!(*s)->protocol_blacklist && h->protocol_blacklist) {
         avio_closep(s);
-        goto fail;
+        return AVERROR(ENOMEM);
     }
     (*s)->direct = h->flags & AVIO_FLAG_DIRECT;
 
@@ -1006,9 +1007,6 @@ int ffio_fdopen(AVIOContext **s, URLContext *h)
     ((FFIOContext*)(*s))->short_seek_get = (int (*)(void *))ffurl_get_short_seek;
     (*s)->av_class = &ff_avio_class;
     return 0;
-fail:
-    av_freep(&buffer);
-    return AVERROR(ENOMEM);
 }
 
 URLContext* ffio_geturlcontext(AVIOContext *s)