From e3c20982a8aefd3ffdece7ad1c6aa0251975ea63 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 28 Apr 2026 12:33:23 +0200 Subject: [PATCH] security: add missing NULL checks after calloc in filter-graph Memory Safety: Medium Multiple calloc() calls for node port arrays and the graph handle array were not checked for NULL returns. If memory allocation fails, the code immediately dereferences the NULL pointers in subsequent loops, causing a crash. An attacker who can influence the filter graph configuration (e.g., through config files specifying many ports) could potentially trigger this condition. Fixed by adding NULL checks after all unchecked calloc calls and properly cleaning up on failure. Co-Authored-By: Claude Opus 4.6 --- spa/plugins/filter-graph/filter-graph.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/spa/plugins/filter-graph/filter-graph.c b/spa/plugins/filter-graph/filter-graph.c index c3c5cd629..fc76710bb 100644 --- a/spa/plugins/filter-graph/filter-graph.c +++ b/spa/plugins/filter-graph/filter-graph.c @@ -1443,6 +1443,17 @@ static int load_node(struct graph *graph, struct spa_json *json) node->output_port = calloc(desc->n_output, sizeof(struct port)); node->control_port = calloc(desc->n_control, sizeof(struct port)); node->notify_port = calloc(desc->n_notify, sizeof(struct port)); + if ((desc->n_input > 0 && node->input_port == NULL) || + (desc->n_output > 0 && node->output_port == NULL) || + (desc->n_control > 0 && node->control_port == NULL) || + (desc->n_notify > 0 && node->notify_port == NULL)) { + free(node->input_port); + free(node->output_port); + free(node->control_port); + free(node->notify_port); + free(node); + return -ENOMEM; + } spa_log_info(impl->log, "loaded n_input:%d n_output:%d n_control:%d n_notify:%d", desc->n_input, desc->n_output, @@ -2070,6 +2081,8 @@ static int setup_graph(struct graph *graph) if (spa_overflow_mul((size_t)graph->n_nodes, (size_t)n_hndl, &hndl_count)) return -ENOMEM; graph->hndl = calloc(hndl_count, sizeof(struct graph_hndl)); + if (hndl_count > 0 && graph->hndl == NULL) + return -ENOMEM; /* order all nodes based on dependencies, first reset fields */ sort_reset(graph); while ((node = sort_next_node(graph)) != NULL) {