mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-02 06:46:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add missing NULL checks after calloc in Bluetooth backend

Browse source 
Memory Safety: Medium

Two calloc() calls in backend-native.c do not check the return value
before dereferencing the pointer:

1. rfcomm_send_cmd_enqueue() allocates an rfcomm_cmd struct and
   immediately passes cmd->cmd to vsnprintf without a NULL check.

2. rfcomm_hfp_ag_clcc() allocates an updated_call struct and
   immediately dereferences updated_call->id without a NULL check.

Both would crash on allocation failure. Add NULL checks that return
an error instead of dereferencing NULL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 14:14:20 +02:00
parent d4cf1d0d6f
commit 398326f19c
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spa/plugins/bluez5/backend-native.c
View file

@ -584,6 +584,8 @@ static ssize_t rfcomm_send_cmd(struct rfcomm *rfcomm, int next_state, DBusMessag
va_list args;
cmd = calloc(1, sizeof(struct rfcomm_cmd));
if (cmd == NULL)
return -ENOMEM;
va_start(args, format);
len = vsnprintf(cmd->cmd, RFCOMM_MESSAGE_MAX_LENGTH + 1, format, args);
@ -2342,6 +2344,8 @@ static bool rfcomm_hfp_hf(struct rfcomm *rfcomm, char* token)
if (SPA_LIKELY (parsed)) {
struct updated_call *updated_call;
updated_call = calloc(1, sizeof(struct updated_call));
if (updated_call == NULL)
return false;
updated_call->id = idx;
spa_list_append(&rfcomm->updated_call_list, &updated_call->link);