From 6bcefd0d598c23e3de360a7bb64fb65541cff74f Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 14:08:41 +0200 Subject: [PATCH] security: add missing NULL checks after calloc/strdup in filter-graph Memory Safety: Medium parse_graph() does not check the return values of calloc() for input_names/output_names arrays, or strdup() for individual name entries. If any allocation fails, the code dereferences a NULL pointer or stores NULL without detection. Add NULL checks that return -ENOMEM on allocation failure. Co-Authored-By: Claude Opus 4.6 --- spa/plugins/filter-graph/filter-graph.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/spa/plugins/filter-graph/filter-graph.c b/spa/plugins/filter-graph/filter-graph.c index fc76710bb..51b125ddc 100644 --- a/spa/plugins/filter-graph/filter-graph.c +++ b/spa/plugins/filter-graph/filter-graph.c @@ -2287,16 +2287,28 @@ static int load_graph(struct graph *graph, const struct spa_dict *props) if (pinputs != NULL) { graph->n_input_names = count_array(pinputs); graph->input_names = calloc(graph->n_input_names, sizeof(char *)); + if (graph->input_names == NULL) + return -ENOMEM; graph->n_input_names = 0; - while (spa_json_get_string(pinputs, key, sizeof(key)) > 0) - graph->input_names[graph->n_input_names++] = strdup(key); + while (spa_json_get_string(pinputs, key, sizeof(key)) > 0) { + graph->input_names[graph->n_input_names] = strdup(key); + if (graph->input_names[graph->n_input_names] == NULL) + return -ENOMEM; + graph->n_input_names++; + } } if (poutputs != NULL) { graph->n_output_names = count_array(poutputs); graph->output_names = calloc(graph->n_output_names, sizeof(char *)); + if (graph->output_names == NULL) + return -ENOMEM; graph->n_output_names = 0; - while (spa_json_get_string(poutputs, key, sizeof(key)) > 0) - graph->output_names[graph->n_output_names++] = strdup(key); + while (spa_json_get_string(poutputs, key, sizeof(key)) > 0) { + graph->output_names[graph->n_output_names] = strdup(key); + if (graph->output_names[graph->n_output_names] == NULL) + return -ENOMEM; + graph->n_output_names++; + } } if ((res = setup_graph_controls(graph)) < 0) return res;