[pulseaudio-tickets] [PulseAudio] #701: Segfault by insufficient error handling / around pa_realpath
PulseAudio
trac-noreply at tango.0pointer.de
Sun Nov 1 04:25:09 PST 2009
#701: Segfault by insufficient error handling / around pa_realpath
----------------------+-----------------------------------------------------
Reporter: matthijs | Owner: lennart
Type: defect | Status: new
Milestone: | Component: core
Keywords: |
----------------------+-----------------------------------------------------
Hi,
I'm facing a segfault caused by invalid handling of out-of-memory errors
(I'm working on a swapless embedded system).
The cause of this is the following code in core-util.c/pa_realpath:
{{{
path_buf = pa_xmalloc(PATH_MAX);
if (!(t = realpath(path, path_buf))) {
pa_xfree(path_buf);
return NULL;
}
}}}
Here, there is no check for the pa_xmalloc return value, which should
be there I think. This causes realpath to return NULL (I've also seen
cases where it segfaults directly) and thus pa_realpath to return NULL
as well.
In the main function, there is the following code:
{{{
canonical_rp = pa_realpath(PA_BINARY);
if ((rp = pa_readlink("/proc/self/exe"))) {
if (pa_streq(rp, canonical_rp))
}}}
Here, the return value of pa_realpath is not checked and passed into
pa_streq (== strcmp) directly. If it is NULL, strcmp segfaults.
(Component set to core, but second part is about daemon, btw)
--
Ticket URL: <http://pulseaudio.org/ticket/701>
PulseAudio <http://pulseaudio.org/>
The PulseAudio Sound Server
More information about the pulseaudio-bugs
mailing list