lavf/movenc: fix invalid free with timecode meta and tmcd data copy.

[ffmpeg] / libavformat / id3v2.c

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 1352b57b6314532a4eb66bd2c4d1d7bc1db444b2..9ccd8f2d074061dd6e5ff3ff8256c3023258889a 100644 (file)
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -130,6 +130,7 @@ const CodecMime ff_id3v2_mime_tags[] = {
     {"image/jpg",  CODEC_ID_MJPEG},
     {"image/png" , CODEC_ID_PNG},
     {"image/tiff", CODEC_ID_TIFF},
+    {"image/bmp",  CODEC_ID_BMP},
     {"",           CODEC_ID_NONE},
 };
 
@@ -272,7 +273,7 @@ static int decode_str(AVFormatContext *s, AVIOContext *pb, int encoding,
 static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const char *key)
 {
     uint8_t *dst;
-    int encoding, dict_flags = AV_DICT_DONT_OVERWRITE;
+    int encoding, dict_flags = AV_DICT_DONT_OVERWRITE | AV_DICT_DONT_STRDUP_VAL;
     unsigned genre;
 
     if (taglen < 1)
@@ -290,7 +291,7 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha
         && (sscanf(dst, "(%d)", &genre) == 1 || sscanf(dst, "%d", &genre) == 1)
         && genre <= ID3v1_GENRE_MAX) {
         av_freep(&dst);
-        dst = ff_id3v1_genre_str[genre];
+        dst = av_strdup(ff_id3v1_genre_str[genre]);
     } else if (!(strcmp(key, "TXXX") && strcmp(key, "TXX"))) {
         /* dst now contains the key, need to get value */
         key = dst;
@@ -299,10 +300,9 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha
             av_freep(&key);
             return;
         }
-        dict_flags |= AV_DICT_DONT_STRDUP_VAL | AV_DICT_DONT_STRDUP_KEY;
-    }
-    else if (*dst)
-        dict_flags |= AV_DICT_DONT_STRDUP_VAL;
+        dict_flags |= AV_DICT_DONT_STRDUP_KEY;
+    } else if (!*dst)
+        av_freep(&dst);
 
     if (dst)
         av_dict_set(&s->metadata, key, dst, dict_flags);
@@ -489,7 +489,7 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, char *tag
 
     apic->len   = taglen;
     apic->data  = av_malloc(taglen);
-    if (!apic->data || avio_read(pb, apic->data, taglen) != taglen)
+    if (!apic->data || !apic->len || avio_read(pb, apic->data, taglen) != taglen)
         goto fail;
 
     new_extra->tag    = "APIC";