From d39a05870790dca489c8dac9d53f4b5f0214efb8 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt
Date: Sun, 10 Nov 2019 05:07:28 +0100
Subject: avformat/id3v2: Fix double-free on error

ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags
AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both
key and value are freed on error (and owned by the destination
dictionary on success), so that freeing them again on error is a
double-free and therefore forbidden. But it nevertheless happened.

Fixes CID 1452489 and 1452421.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67d4940a7795aa3afc8d1e624de33b030e0be51e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/id3v2.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index b43ab1745f..e9843eef9a 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met
             }
 
             if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) {
-                av_free(key);
-                av_free(escaped);
                 return ret;
             }
         }
-- 
cgit v1.2.3