From 3410bc66fb91f46325ab1d008b6a421dd8240949 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@serjux.com>
Date: Sat, 2 Nov 2019 04:21:17 +0000
Subject: [PATCH 09/10] Null out pointer after free to prevent double free

If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur.  By setting the pointer to NULL after the first free, we prevent the double free in this case.
Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054

copied form https://github.com/TechSmith/mp4v2/commit/f09cceeee5bd7f783fd31f10e8b3c440ccf4c743
From: Dave O'Rourke
Date: Wed, 20 Mar 2019 08:57:29 -0400
---
 src/mp4property.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/mp4property.cpp b/src/mp4property.cpp
index 9a5b1e3..1b8e1d2 100644
--- a/src/mp4property.cpp
+++ b/src/mp4property.cpp
@@ -391,8 +391,10 @@ void MP4StringProperty::Read( MP4File& file, uint32_t index )
         char*& value = m_values[i];
 
         // Generally a default atom setting, e.g. see atom_avc1.cpp, "JVT/AVC Coding"; we'll leak this string if
-        // we don't free.  Note that MP4Free checks for null.
-        MP4Free(value); 
+        // we don't free.  Note that this code checks for null before calling free and sets the pointer to null
+        // after freeing it, to prevent a double free in case an exception occurs before the value is reassigned.
+        MP4Free( value );
+        value = NULL;
 
         if( m_useCountedFormat ) {
             value = file.ReadCountedString( (m_useUnicode ? 2 : 1), m_useExpandedCount, m_fixedLength );
-- 
2.21.0