mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-10-31 22:25:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pulse-server: message: improve resizing logic

Browse source 
As Coverity points out, `ensure_size()` is not fully correct.

Let us assume that the message already has some allocated storage,
and the `realloc()` call in the next `ensure_size()` invocation fails.
In that case `message::data` is freed, but the pointer is left behind.
If another `ensure_size()` call is made, then `realloc()` will be called
(since the previous call left `message::allocated` as zero), but the
first argument of the `realloc()` call will be a dangling pointer.

In order to avoid the above, first of all, clear `message::data` after
a failed `realloc()` call, and immediately return `-ENOMEM` if
`message::length` is greater than `message::allocated` since
that signals if the message has even run into an out-of-memory
situation.
This commit is contained in:
Barnabás Pőcze 2022-06-16 19:59:30 +02:00 committed by Wim Taymans
parent 080a97c0bb
commit ae34b68e3a
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-protocol-pulse/message.c
View file

@ -390,6 +390,9 @@ static int ensure_size(struct message *m, uint32_t size)
uint32_t alloc, diff;
void *data;
if (m->length > m->allocated)
return -ENOMEM;
if (m->length + size <= m->allocated)
return size;
@ -397,6 +400,7 @@ static int ensure_size(struct message *m, uint32_t size)
diff = alloc - m->allocated;
if ((data = realloc(m->data, alloc)) == NULL) {
free(m->data);
m->data = NULL;
m->impl->stat.allocated -= m->allocated;
m->allocated = 0;
return -errno;