From: Andre Noll Date: Mon, 12 Jun 2023 16:06:10 +0000 (+0200) Subject: server: Fix NULL pointer dereference in com_ls(). X-Git-Tag: v0.7.3~12^2~3 X-Git-Url: http://git.tue.mpg.de/?a=commitdiff_plain;h=72182df7af74e974af4d85a2f4143ea66a318844;p=paraslash.git server: Fix NULL pointer dereference in com_ls(). The previous commit which extended the -a option of the ls command to accept an optional argument introduced the following flaw: If the argument of -a corresponds to the name of a mood for which no files are admissible, the server crashes due to a NULL pointer dereference because mood_load() leaves the mood instance pointer uninitialized although it returns zero, indicating success. This behaviour of mood_load() contradicts the promises made in its documentation. Fix mood_load() by not special-casing the "zero admissible files" case, which even simplifies the code a bit. If all goes well but no files turn out to be admissible, we now open the score table anyway and set the mood pointer to the allocated mood as usual. Since get_statistics() may now be called with zero admissible files, we have to add a check there before dividing by the number of admissible files, Fixes: 2d2637cb4c9ab76fea6bc336b9af88fd00bf5e08 --- diff --git a/mood.c b/mood.c index 804fb576..ddd2f1cc 100644 --- a/mood.c +++ b/mood.c @@ -531,6 +531,8 @@ static char *get_statistics(struct mood_instance *m, int64_t sse) unsigned n = m->stats.num; int mean_days, sigma_days; + if (n == 0) + return make_message("no admissible files\n"); mean_days = (sse - m->stats.last_played_sum / n) / 3600 / 24; sigma_days = int_sqrt(m->stats.last_played_qd / n) / 3600 / 24; return make_message( @@ -638,12 +640,6 @@ int mood_load(const char *mood_name, struct mood_instance **result, char **msg) } clock_get_realtime(&rnow); compute_correction_factors(rnow.tv_sec, &aa.m->stats); - if (aa.m->stats.num == 0) { - if (msg) - *msg = make_message("no admissible files\n"); - ret = 0; - goto out; - } if (result) score_open(&aa.m->score_table); for (i = 0; i < aa.m->stats.num; i++) {