git.tuebingen.mpg.de Git - paraslash.git/commit

author	Andre Noll <maan@tuebingen.mpg.de>
	Mon, 12 Jun 2023 23:14:07 +0000 (01:14 +0200)
committer	Andre Noll <maan@tuebingen.mpg.de>
	Sun, 18 Jun 2023 13:17:25 +0000 (15:17 +0200)
commit	04ef2e43d3658325dd3028476911a4b55c4c5dca
tree	64e529286099e61c83529082599ac6036832ac2b	tree \| snapshot
parent	72182df7af74e974af4d85a2f4143ea66a318844	commit \| diff

playlist: Fix error handling of playlist_load().

We open a fresh score table if the result pointer is not NULL,
indicating that we are called from com_ls() (with -a=p/foo) rather
than from com_select(). However, if an error occurs afterwards, we
call score_close() unconditionally. This is wrong in the result ==
NULL case (com_select()) because it closes the global score table
which is expected to stay open.

The result is a UAF, which is diagnosed by valgrind as follows:

==4767== Invalid read of size 4
==4767==    at 0x408C51E: osl_add_and_get_row (osl.c:1216)
==4767==    by 0x408CA99: osl_add_row (osl.c:1348)
==4767==    by 0x8060648: score_add (score.c:116)
==4767==    by 0x805F08C: add_to_score_table (mood.c:451)
==4767==    by 0x805FA3E: mood_load (mood.c:650)
==4767==    by 0x8057ECF: activate_mood_or_playlist (afs.c:447)
==4767==    by 0x8059637: com_select_callback (afs.c:1005)

Fixes: 2d2637cb4c9ab76fea6bc336b9af88fd00bf5e08