Crash in InputContainer::__cinit__ #2010
Description
I'm seeing a crash inside InputContainer::cinit, in the call to av_dict_free if I pass any options to av.open:
==102753== Thread 97:
==102753== Invalid read of size 4
==102753== at 0xAD2253D: av_dict_free (in venv/lib/python3.12/site-packages/av.libs/libavutil-a63ffd27.so.59.39.100)
==102753== by 0x1066D75B: __pyx_pf_2av_9container_5input_14InputContainer___cinit__ (input.c:4121)
==102753== by 0x1066D75B: __pyx_pw_2av_9container_5input_14InputContainer_1__cinit__ (input.c:3769)
==102753== by 0x1066D75B: __pyx_tp_new_2av_9container_5input_InputContainer (input.c:7059)
==102753== by 0x599A76: ??? (in /usr/bin/python3.12)
==102753== by 0x548F54: _PyObject_MakeTpCall (in /usr/bin/python3.12)
==102753== by 0xFF1C5A1: __pyx_pf_2av_9container_4core_open (core.c:9158)
==102753== by 0xFF1C5A1: __pyx_pw_2av_9container_4core_1open (core.c:8752)
==102753== by 0x5DA965: _PyEval_EvalFrameDefault (in /usr/bin/python3.12)
==102753== by 0x66C158: ??? (in /usr/bin/python3.12)
==102753== by 0x65A8D43: ??? (in /usr/lib/python3.12/lib-dynload/_asyncio.cpython-312-x86_64-linux-gnu.so)
==102753== by 0x65A8B5A: ??? (in /usr/lib/python3.12/lib-dynload/_asyncio.cpython-312-x86_64-linux-gnu.so)
==102753== by 0x548F54: _PyObject_MakeTpCall (in /usr/bin/python3.12)
==102753== by 0x6A480B: ??? (in /usr/bin/python3.12)
==102753== by 0x581E9C: ??? (in /usr/bin/python3.12)
==102753== Address 0x730dda74696c7073 is not stack'd, malloc'd or (recently) free'd
avformat_find_stream_info can find additional streams, which leads to av_dict_free(&c_options[i]) being out-of-bounds.
https://github.com/FFmpeg/FFmpeg/blob/master/libavformat/demux.c#L2520