avformat/aviobuf: fix double free by return early on error

Because the s->buffer has been freed by av_freep in avio_closep. It should not av_freep the buffer in label fail after avio_closep. Then just move the av_freep before avio_closep and remove the label fail. Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> Reviewed-by: Zhao Zhili <zhilizhao@tencent.com> Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
3 years ago · 3f46ffe956
parent 38e5ca9310
commit 3f46ffe956
1 changed files with 6 additions and 8 deletions
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@ -977,18 +977,19 @@ int ffio_fdopen(AVIOContext **s, URLContext *h)
                            (int (*)(void *, uint8_t *, int))  ffurl_read,
                            (int (*)(void *, uint8_t *, int))  ffurl_write,
                            (int64_t (*)(void *, int64_t, int))ffurl_seek);
-    if (!*s)
-        goto fail;
-
+    if (!*s) {
+        av_freep(&buffer);
+        return AVERROR(ENOMEM);
+    }
    (*s)->protocol_whitelist = av_strdup(h->protocol_whitelist);
    if (!(*s)->protocol_whitelist && h->protocol_whitelist) {
        avio_closep(s);
-        goto fail;
+        return AVERROR(ENOMEM);
    }
    (*s)->protocol_blacklist = av_strdup(h->protocol_blacklist);
    if (!(*s)->protocol_blacklist && h->protocol_blacklist) {
        avio_closep(s);
-        goto fail;
+        return AVERROR(ENOMEM);
    }
    (*s)->direct = h->flags & AVIO_FLAG_DIRECT;

@ -1006,9 +1007,6 @@ int ffio_fdopen(AVIOContext **s, URLContext *h)
    ((FFIOContext*)(*s))->short_seek_get = (int (*)(void *))ffurl_get_short_seek;
    (*s)->av_class = &ff_avio_class;
    return 0;
-fail:
-    av_freep(&buffer);
-    return AVERROR(ENOMEM);
 }

 URLContext* ffio_geturlcontext(AVIOContext *s)