diff options
author | Steven Liu <liuqi05@kuaishou.com> | 2021-12-01 11:19:47 +0800 |
---|---|---|
committer | Steven Liu <lq@chinaffmpeg.org> | 2021-12-16 11:02:57 +0800 |
commit | 3f46ffe956a563a975b65fcb0bcf131fd30956ff (patch) | |
tree | d2f388602efbc6fc79d3ab7128559c50ab2d8031 /libavformat | |
parent | 38e5ca9310b1a4dbb72fbe28769c9119bb880691 (diff) |
avformat/aviobuf: fix double free by return early on error
Because the s->buffer has been freed by av_freep in avio_closep.
It should not av_freep the buffer in label fail after avio_closep.
Then just move the av_freep before avio_closep and remove the label fail.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Reviewed-by: Zhao Zhili <zhilizhao@tencent.com>
Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/aviobuf.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 969c127b23..14d4b8f240 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -977,18 +977,19 @@ int ffio_fdopen(AVIOContext **s, URLContext *h) (int (*)(void *, uint8_t *, int)) ffurl_read, (int (*)(void *, uint8_t *, int)) ffurl_write, (int64_t (*)(void *, int64_t, int))ffurl_seek); - if (!*s) - goto fail; - + if (!*s) { + av_freep(&buffer); + return AVERROR(ENOMEM); + } (*s)->protocol_whitelist = av_strdup(h->protocol_whitelist); if (!(*s)->protocol_whitelist && h->protocol_whitelist) { avio_closep(s); - goto fail; + return AVERROR(ENOMEM); } (*s)->protocol_blacklist = av_strdup(h->protocol_blacklist); if (!(*s)->protocol_blacklist && h->protocol_blacklist) { avio_closep(s); - goto fail; + return AVERROR(ENOMEM); } (*s)->direct = h->flags & AVIO_FLAG_DIRECT; @@ -1006,9 +1007,6 @@ int ffio_fdopen(AVIOContext **s, URLContext *h) ((FFIOContext*)(*s))->short_seek_get = (int (*)(void *))ffurl_get_short_seek; (*s)->av_class = &ff_avio_class; return 0; -fail: - av_freep(&buffer); - return AVERROR(ENOMEM); } URLContext* ffio_geturlcontext(AVIOContext *s) |