From b79eefc8583536da9faa87b50d82eaef8a3e0dde Mon Sep 17 00:00:00 2001 From: Aidan MacDonald Date: Mon, 2 May 2022 16:48:19 +0100 Subject: [PATCH] apps: fix tagtree arithmetic on null pointers It was possible for the tag tree's buflib move callback to turn a null pointer non-null. The tagcache_search_clause->str can be null for OR clauses. Also ensure that clauses are zeroed on allocation to ensure garbage pointers don't creep in. Change-Id: Ic823a8eecc501eeaa75798066521e427a9a89190 --- apps/tagtree.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apps/tagtree.c b/apps/tagtree.c index 9fb2172e57..45d2bb991b 100644 --- a/apps/tagtree.c +++ b/apps/tagtree.c @@ -223,7 +223,8 @@ static int move_callback(int handle, void* current, void* new) { for(int l = 0; l < mentry->si.clause_count[k]; l++) { - UPDATE(mentry->si.clause[k][l]->str, diff); + if(mentry->si.clause[k][l]->str) + UPDATE(mentry->si.clause[k][l]->str, diff); UPDATE(mentry->si.clause[k][l], diff); } } @@ -702,7 +703,7 @@ static int get_condition(struct search_instruction *inst) return -2; } - new_clause = tagtree_alloc(sizeof(struct tagcache_search_clause)); + new_clause = tagtree_alloc0(sizeof(struct tagcache_search_clause)); if (!new_clause) { logf("tagtree failed to allocate %s", "search clause");