[pulseaudio-discuss] [PATCH 4/6] source-output: Avoid potential NULL dereference

Tanu Kaskinen tanuk at iki.fi
Fri Aug 19 15:44:19 UTC 2016


On Thu, 2016-08-18 at 18:17 +0200, Peter Meerwald-Stadler wrote:
> if data->source is NULL, pa_source_output_new_data_set_source() may
> fail to set data->source;
> the false retval is ignored, leading to a NULL dereference in
> pa_source_get_state(data->source) below
> 
> CID 1323590
> ---
>  src/pulsecore/source-output.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/pulsecore/source-output.c b/src/pulsecore/source-
> output.c
> index 35ef1c5..d6a1d57 100644
> --- a/src/pulsecore/source-output.c
> +++ b/src/pulsecore/source-output.c
> @@ -271,7 +271,8 @@ int pa_source_output_new(
>              pa_return_val_if_fail(source, -PA_ERR_NOENTITY);
>          }
>  
> -        pa_source_output_new_data_set_source(data, source, false);
> +        if (!pa_source_output_new_data_set_source(data, source, false))
> +            return -PA_ERR_NOTSUPPORTED;

The function can fail only if the source doesn't support the requested
formats, and we already have code that returns -PA_ERR_NOTSUPPORTED if
the format negotiation fails, with nice log messages that don't
necessarily get printed after this patch.

The only way how the NULL dereferencing could happen is if something
sets data->format, but doesn't set data->source. That would be a bug,
because the format can only be negotiated when the source is known. I
think we can just add pa_assert(data->source) before the pointer is
dereferenced to make Coverity happy.

-- 
Tanu


More information about the pulseaudio-discuss mailing list