From e4743039913cfb02bdbe35199842551e93ee2d22 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 28 Apr 2026 13:23:42 +0200 Subject: [PATCH] security: add missing NULL checks after strdup/strndup in pw_split_strv Memory Safety: Medium In pw_split_strv(), the return values of strndup() and strdup() were passed directly to pw_array_add_ptr() without checking for NULL. If memory allocation fails, NULL pointers would be stored in the string array and later dereferenced by callers iterating the result. The return value of pw_array_add_ptr() was also not checked, which could lead to silently dropped strings. Fix by checking both allocation and array insertion return values, and properly cleaning up all previously allocated strings on failure. Co-Authored-By: Claude Opus 4.6 --- src/pipewire/utils.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/src/pipewire/utils.c b/src/pipewire/utils.c index 950fc915b..440b7b90a 100644 --- a/src/pipewire/utils.c +++ b/src/pipewire/utils.c @@ -68,20 +68,37 @@ char **pw_split_strv(const char *str, const char *delimiter, int max_tokens, int s = pw_split_walk(str, delimiter, &len, &state); while (s && n + 1 < max_tokens) { - pw_array_add_ptr(&arr, strndup(s, len)); + char *t = strndup(s, len); + if (t == NULL || pw_array_add_ptr(&arr, t) < 0) { + free(t); + goto error; + } s = pw_split_walk(str, delimiter, &len, &state); n++; } if (s) { - pw_array_add_ptr(&arr, strdup(s)); + char *t = strdup(s); + if (t == NULL || pw_array_add_ptr(&arr, t) < 0) { + free(t); + goto error; + } n++; } - pw_array_add_ptr(&arr, NULL); + if (pw_array_add_ptr(&arr, NULL) < 0) + goto error; if (n_tokens != NULL) *n_tokens = n; return arr.data; + +error: + { + char **p; + pw_array_for_each(p, &arr) free(*p); + pw_array_clear(&arr); + return NULL; + } } /** Split a string in-place based on delimiters