Skip to content

CFTree: fix null-pointer dereferences in child handling#49

Open
DTW-Thalion wants to merge 1 commit into
gnustep:masterfrom
DTW-Thalion:fix/cftree-null-deref
Open

CFTree: fix null-pointer dereferences in child handling#49
DTW-Thalion wants to merge 1 commit into
gnustep:masterfrom
DTW-Thalion:fix/cftree-null-deref

Conversation

@DTW-Thalion

Copy link
Copy Markdown
Contributor

Two ways to crash via the public API:

  • CFTreePrependChild() set tree->_lastChild = NULL (instead of the new
    child) when the tree had no children, so prepending the first child
    left _lastChild NULL. A subsequent CFTreeAppendChild() then
    dereferenced it (tree->_lastChild->_nextSibling), a NULL write.

  • CFTreeGetChildAtIndex() walked the sibling list without checking for
    the end, so an index past the last child dereferenced NULL.

Set _lastChild to the new child, and stop the walk at the end of the
list (returning NULL for an out-of-range index). Adds regression tests
(the existing test prepended only after an append, so it never exercised
the empty-tree path).

Two ways to crash via the public API:

  * CFTreePrependChild() set tree->_lastChild = NULL (instead of the new
    child) when the tree had no children, so prepending the first child
    left _lastChild NULL.  A subsequent CFTreeAppendChild() then
    dereferenced it (tree->_lastChild->_nextSibling), a NULL write.

  * CFTreeGetChildAtIndex() walked the sibling list without checking for
    the end, so an index past the last child dereferenced NULL.

Set _lastChild to the new child, and stop the walk at the end of the
list (returning NULL for an out-of-range index).  Adds regression tests
(the existing test prepended only after an append, so it never exercised
the empty-tree path).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant