libFLAC/stream_decoder: Fix double free
authorErik de Castro Lopo <erikd@mega-nerd.com>
Sat, 22 Aug 2015 06:51:08 +0000 (16:51 +1000)
committerErik de Castro Lopo <erikd@mega-nerd.com>
Sat, 22 Aug 2015 09:25:39 +0000 (19:25 +1000)
The american-fuzzy-lop fuzzer found a couple of instances of double
free() resulting from commit 15a9062609.

The problematic free() were the ones associated with use of the
safe_realloc_mul_2op_() function which can call realloc(ptr,0) which
according to the realloc manpage is already an implicit free().

src/libFLAC/stream_decoder.c

index 4a4be2e..519b0c3 100644 (file)
@@ -763,9 +763,7 @@ FLAC_API FLAC__bool FLAC__stream_decoder_set_metadata_respond_application(FLAC__
        FLAC__ASSERT(0 != decoder->private_->metadata_filter_ids);
 
        if(decoder->private_->metadata_filter_ids_count == decoder->private_->metadata_filter_ids_capacity) {
-               void *oldptr = decoder->private_->metadata_filter_ids;
                if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) {
-                       free(oldptr);
                        decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
                        return false;
                }
@@ -824,9 +822,7 @@ FLAC_API FLAC__bool FLAC__stream_decoder_set_metadata_ignore_application(FLAC__S
        FLAC__ASSERT(0 != decoder->private_->metadata_filter_ids);
 
        if(decoder->private_->metadata_filter_ids_count == decoder->private_->metadata_filter_ids_capacity) {
-               void *oldptr = decoder->private_->metadata_filter_ids;
                if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) {
-                       free(oldptr);
                        decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
                        return false;
                }
@@ -1660,7 +1656,6 @@ FLAC__bool read_metadata_seektable_(FLAC__StreamDecoder *decoder, FLAC__bool is_
 {
        FLAC__uint32 i, x;
        FLAC__uint64 xx;
-       void *oldptr;
 
        FLAC__ASSERT(FLAC__bitreader_is_consumed_byte_aligned(decoder->private_->input));
 
@@ -1671,9 +1666,7 @@ FLAC__bool read_metadata_seektable_(FLAC__StreamDecoder *decoder, FLAC__bool is_
        decoder->private_->seek_table.data.seek_table.num_points = length / FLAC__STREAM_METADATA_SEEKPOINT_LENGTH;
 
        /* use realloc since we may pass through here several times (e.g. after seeking) */
-       oldptr = decoder->private_->seek_table.data.seek_table.points;
        if(0 == (decoder->private_->seek_table.data.seek_table.points = safe_realloc_mul_2op_(decoder->private_->seek_table.data.seek_table.points, decoder->private_->seek_table.data.seek_table.num_points, /*times*/sizeof(FLAC__StreamMetadata_SeekPoint)))) {
-               free(oldptr);
                decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
                return false;
        }