From 106f641ff3989850d1a65b52cc84b4af8635818a Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 28 Apr 2026 13:24:05 +0200 Subject: [PATCH] security: add missing NULL check after strdup in pw_strv_insert Memory Safety: Medium In pw_strv_insert(), the strdup(str) result at the insertion position was not checked for failure. A NULL would be stored in the string vector, causing NULL dereferences when callers iterate the vector. Fix by checking the strdup() return value and cleaning up on failure. Co-Authored-By: Claude Opus 4.6 --- src/pipewire/conf.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/pipewire/conf.c b/src/pipewire/conf.c index 58ccc2fb3..0e30fde97 100644 --- a/src/pipewire/conf.c +++ b/src/pipewire/conf.c @@ -920,7 +920,7 @@ static int parse_objects(void *user_data, const char *location, static char **pw_strv_insert_at(char **strv, int len, int pos, const char *str) { - char **n; + char **n, *t = NULL; if (len < 0) { len = 0; @@ -933,15 +933,17 @@ static char **pw_strv_insert_at(char **strv, int len, int pos, const char *str) size_t alloc_size; if (spa_overflow_add((size_t)len, (size_t)2, &alloc_size) || spa_overflow_mul(alloc_size, sizeof(char*), &alloc_size) || + (t = strdup(str)) == NULL || (n = realloc(strv, alloc_size)) == NULL) { + free(t); pw_free_strv(strv); return NULL; } - strv = n; memmove(strv+pos+1, strv+pos, sizeof(char*) * (len+1-pos)); - strv[pos] = strdup(str); + strv[pos] = t; + return strv; }