libFLAC/stream_decoder: Fix double free

The american-fuzzy-lop fuzzer found a couple of instances of double free() resulting from commit 15a90626. The problematic free() were the ones associated with use of the safe_realloc_mul_2op_() function which can call realloc(ptr,0) which according to the realloc manpage is already an implicit free().

libFLAC/stream_decoder: Fix double free
The american-fuzzy-lop fuzzer found a couple of instances of double free() resulting from commit 15a90626. The problematic free() were the ones associated with use of the safe_realloc_mul_2op_() function which can call realloc(ptr,0) which according to the realloc manpage is already an implicit free().
684fb3d5 · Erik de Castro Lopo · f7c52c8a · 684fb3d5
Commit 684fb3d5 authored Aug 22, 2015 by Erik de Castro Lopo
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c
@@ -763,9 +763,7 @@ FLAC_API FLAC__bool FLAC__stream_decoder_set_metadata_respond_application(FLAC__
 	FLAC__ASSERT(0 != decoder->private_->metadata_filter_ids);

 	if(decoder->private_->metadata_filter_ids_count == decoder->private_->metadata_filter_ids_capacity) {
-		void *oldptr = decoder->private_->metadata_filter_ids;
 		if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) {
-			free(oldptr);
 			decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
 			return false;
 		}
@@ -824,9 +822,7 @@ FLAC_API FLAC__bool FLAC__stream_decoder_set_metadata_ignore_application(FLAC__S
 	FLAC__ASSERT(0 != decoder->private_->metadata_filter_ids);

 	if(decoder->private_->metadata_filter_ids_count == decoder->private_->metadata_filter_ids_capacity) {
-		void *oldptr = decoder->private_->metadata_filter_ids;
 		if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) {
-			free(oldptr);
 			decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
 			return false;
 		}
@@ -1660,7 +1656,6 @@ FLAC__bool read_metadata_seektable_(FLAC__StreamDecoder *decoder, FLAC__bool is_
 {
 	FLAC__uint32 i, x;
 	FLAC__uint64 xx;
-	void *oldptr;

 	FLAC__ASSERT(FLAC__bitreader_is_consumed_byte_aligned(decoder->private_->input));

@@ -1671,9 +1666,7 @@ FLAC__bool read_metadata_seektable_(FLAC__StreamDecoder *decoder, FLAC__bool is_
 	decoder->private_->seek_table.data.seek_table.num_points = length / FLAC__STREAM_METADATA_SEEKPOINT_LENGTH;

 	/* use realloc since we may pass through here several times (e.g. after seeking) */
-	oldptr = decoder->private_->seek_table.data.seek_table.points;
 	if(0 == (decoder->private_->seek_table.data.seek_table.points = safe_realloc_mul_2op_(decoder->private_->seek_table.data.seek_table.points, decoder->private_->seek_table.data.seek_table.num_points, /*times*/sizeof(FLAC__StreamMetadata_SeekPoint)))) {
-		free(oldptr);
 		decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
 		return false;
 	}