From 04ef2e43d3658325dd3028476911a4b55c4c5dca Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Tue, 13 Jun 2023 01:14:07 +0200 Subject: [PATCH] playlist: Fix error handling of playlist_load(). We open a fresh score table if the result pointer is not NULL, indicating that we are called from com_ls() (with -a=p/foo) rather than from com_select(). However, if an error occurs afterwards, we call score_close() unconditionally. This is wrong in the result == NULL case (com_select()) because it closes the global score table which is expected to stay open. The result is a UAF, which is diagnosed by valgrind as follows: ==4767== Invalid read of size 4 ==4767== at 0x408C51E: osl_add_and_get_row (osl.c:1216) ==4767== by 0x408CA99: osl_add_row (osl.c:1348) ==4767== by 0x8060648: score_add (score.c:116) ==4767== by 0x805F08C: add_to_score_table (mood.c:451) ==4767== by 0x805FA3E: mood_load (mood.c:650) ==4767== by 0x8057ECF: activate_mood_or_playlist (afs.c:447) ==4767== by 0x8059637: com_select_callback (afs.c:1005) Fixes: 2d2637cb4c9ab76fea6bc336b9af88fd00bf5e08 --- playlist.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/playlist.c b/playlist.c index cd5fc5ad..c145b0fd 100644 --- a/playlist.c +++ b/playlist.c @@ -184,7 +184,8 @@ int playlist_load(const char *name, struct playlist_instance **result, char **ms } return pi->length; close_score_table: - score_close(pi->score_table); + if (result) + score_close(pi->score_table); free(pi); err: PARA_NOTICE_LOG("unable to load playlist %s\n", name); -- 2.39.2