[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-bluetooth
Subject:    [BlueZ v2 19/20] avrcp: Fix uninitialised memory usage
From:       Bastien Nocera <hadess () hadess ! net>
Date:       2024-05-10 12:10:29
Message-ID: 20240510121355.3241456-20-hadess () hadess ! net
[Download RAW message or body]

Error: UNINIT (CWE-457): [#def35] [important]
bluez-5.75/profiles/audio/avrcp.c:2550:2: var_decl: Declaring variable "name" without \
initializer. bluez-5.75/profiles/audio/avrcp.c:2567:2: uninit_use_in_call: Using \
uninitialized value "*name" when calling "media_player_create_item". 2565|		mp = \
player->user_data; 2566|
2567|->		item = media_player_create_item(mp, name, PLAYER_ITEM_TYPE_AUDIO, uid);
2568|		if (item == NULL)
2569|			return NULL;

Error: UNINIT (CWE-457): [#def36] [important]
bluez-5.75/profiles/audio/avrcp.c:2583:2: var_decl: Declaring variable "name" without \
initializer. bluez-5.75/profiles/audio/avrcp.c:2601:2: uninit_use_in_call: Using \
uninitialized value "*name" when calling "media_player_create_folder". 2599|		}
2600|
2601|->		item = media_player_create_folder(mp, name, type, uid);
2602|		if (!item)
2603|			return NULL;
---
 profiles/audio/avrcp.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 36ce01a14eea..752e55be37a4 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2555,11 +2555,10 @@ static struct media_item *parse_media_element(struct avrcp \
*session,  
 	uid = get_be64(&operands[0]);
 
+	memset(name, 0, sizeof(name));
 	namelen = MIN(get_be16(&operands[11]), sizeof(name) - 1);
-	if (namelen > 0) {
+	if (namelen > 0)
 		memcpy(name, &operands[13], namelen);
-		name[namelen] = '\0';
-	}
 
 	player = session->controller->player;
 	mp = player->user_data;
@@ -2592,11 +2591,10 @@ static struct media_item *parse_media_folder(struct avrcp \
*session,  type = operands[8];
 	playable = operands[9];
 
+	memset(name, 0, sizeof(name));
 	namelen = MIN(get_be16(&operands[12]), sizeof(name) - 1);
-	if (namelen > 0) {
+	if (namelen > 0)
 		memcpy(name, &operands[14], namelen);
-		name[namelen] = '\0';
-	}
 
 	item = media_player_create_folder(mp, name, type, uid);
 	if (!item)
-- 
2.44.0


[prev in list] [next in list] [prev in thread] [next in thread]