Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / flac / 684fb3d544b6fec54464e2f09296eb8d7705382a^! / .
commit684fb3d544b6fec54464e2f09296eb8d7705382a[log] [tgz]
authorErik de Castro Lopo <erikd@mega-nerd.com>Sat Aug 22 16:51:08 2015 +1000
committerErik de Castro Lopo <erikd@mega-nerd.com>Sat Aug 22 19:25:39 2015 +1000
tree7afa168fdd8065c1c288baae2f8c1aaf3a79bb27
parentf7c52c8aa8e2a4ccfd98e3ba8d6dbfa04d75a17b [diff]
libFLAC/stream_decoder: Fix double free

The american-fuzzy-lop fuzzer found a couple of instances of double
free() resulting from commit 15a9062609.

The problematic free() were the ones associated with use of the
safe_realloc_mul_2op_() function which can call realloc(ptr,0) which
according to the realloc manpage is already an implicit free().

diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
index 4a4be2e..519b0c3 100644
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c

@@ -763,9 +763,7 @@
 	FLAC__ASSERT(0 != decoder->private_->metadata_filter_ids);
 
 	if(decoder->private_->metadata_filter_ids_count == decoder->private_->metadata_filter_ids_capacity) {
-		void *oldptr = decoder->private_->metadata_filter_ids;
 		if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) {
-			free(oldptr);
 			decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
 			return false;
 		}
@@ -824,9 +822,7 @@
 	FLAC__ASSERT(0 != decoder->private_->metadata_filter_ids);
 
 	if(decoder->private_->metadata_filter_ids_count == decoder->private_->metadata_filter_ids_capacity) {
-		void *oldptr = decoder->private_->metadata_filter_ids;
 		if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) {
-			free(oldptr);
 			decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
 			return false;
 		}
@@ -1660,7 +1656,6 @@
 {
 	FLAC__uint32 i, x;
 	FLAC__uint64 xx;
-	void *oldptr;
 
 	FLAC__ASSERT(FLAC__bitreader_is_consumed_byte_aligned(decoder->private_->input));
 
@@ -1671,9 +1666,7 @@
 	decoder->private_->seek_table.data.seek_table.num_points = length / FLAC__STREAM_METADATA_SEEKPOINT_LENGTH;
 
 	/* use realloc since we may pass through here several times (e.g. after seeking) */
-	oldptr = decoder->private_->seek_table.data.seek_table.points;
 	if(0 == (decoder->private_->seek_table.data.seek_table.points = safe_realloc_mul_2op_(decoder->private_->seek_table.data.seek_table.points, decoder->private_->seek_table.data.seek_table.num_points, /*times*/sizeof(FLAC__StreamMetadata_SeekPoint)))) {
-		free(oldptr);
 		decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
 		return false;
 	}