Fix double free in ContentEncoding

Origin: 6a7c84a244 Author: James Zern <jzern@google.com> ----- This is a security fix for CVE-2019-2126. Godot currently contains a vulnerable version of libwebm in its 3.6 branch that is susceptible to a double free due to a missing reset of a freed pointer. This commit corrects that issue.
2025-10-19 16:03:29 +00:00 · 2025-06-20 15:38:56 -04:00 · 2025-06-20 15:38:56 -04:00 · 0e1cda420f
commit 0e1cda420f
parent ac8b19e5ab
1 changed files with 9 additions and 1 deletions
--- a/thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc
+++ b/thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc
@ -4232,6 +4232,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
        new (std::nothrow) ContentEncryption*[encryption_count];
    if (!encryption_entries_) {
      delete[] compression_entries_;
+      compression_entries_ = NULL;
      return -1;
    }
    encryption_entries_end_ = encryption_entries_;
@ -4263,6 +4264,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
        delete compression;
        return status;
      }
+      assert(compression_count > 0);
      *compression_entries_end_++ = compression;
    } else if (id == libwebm::kMkvContentEncryption) {
      ContentEncryption* const encryption =
@ -4275,6 +4277,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
        delete encryption;
        return status;
      }
+      assert(encryption_count > 0);
      *encryption_entries_end_++ = encryption;
    }

@ -4326,6 +4329,11 @@ long ContentEncoding::ParseCompressionEntry(long long start, long long size,
        delete[] buf;
        return status;
      }
+      // There should be only one settings element per content compression.
+      if (compression->settings != NULL) {
+        delete[] buf;
+        return E_FILE_FORMAT_INVALID;
+      }
 			
      compression->settings = buf;
      compression->settings_len = buflen;