From 0e1cda420f6db3f2486db54e2bc2f6be188f047d Mon Sep 17 00:00:00 2001
From: John Breton <55368611+john-breton@users.noreply.github.com>
Date: Fri, 20 Jun 2025 15:38:56 -0400
Subject: [PATCH] Fix double free in ContentEncoding

Origin: https://github.com/webmproject/libvpx/commit/6a7c84a2449dcc70de2525df209afea908622399
Author: James Zern <jzern@google.com>

-----
This is a security fix for CVE-2019-2126. Godot currently contains a vulnerable version of libwebm in its 3.6 branch that is susceptible to a double free due to a missing reset of a freed pointer. This commit corrects that issue.
---
 .../libsimplewebm/libwebm/mkvparser/mkvparser.cc       | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc b/thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc
index e7b76f7da11..83e8aa9e4a5 100644
--- a/thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc
+++ b/thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc
@@ -4232,6 +4232,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
         new (std::nothrow) ContentEncryption*[encryption_count];
     if (!encryption_entries_) {
       delete[] compression_entries_;
+      compression_entries_ = NULL;
       return -1;
     }
     encryption_entries_end_ = encryption_entries_;
@@ -4263,6 +4264,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
         delete compression;
         return status;
       }
+      assert(compression_count > 0);
       *compression_entries_end_++ = compression;
     } else if (id == libwebm::kMkvContentEncryption) {
       ContentEncryption* const encryption =
@@ -4275,6 +4277,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
         delete encryption;
         return status;
       }
+      assert(encryption_count > 0);
       *encryption_entries_end_++ = encryption;
     }
 
@@ -4326,7 +4329,12 @@ long ContentEncoding::ParseCompressionEntry(long long start, long long size,
         delete[] buf;
         return status;
       }
-
+      // There should be only one settings element per content compression.
+      if (compression->settings != NULL) {
+        delete[] buf;
+        return E_FILE_FORMAT_INVALID;
+      }
+			
       compression->settings = buf;
       compression->settings_len = buflen;
     }