From 72182df7af74e974af4d85a2f4143ea66a318844 Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Mon, 12 Jun 2023 18:06:10 +0200 Subject: [PATCH] server: Fix NULL pointer dereference in com_ls(). The previous commit which extended the -a option of the ls command to accept an optional argument introduced the following flaw: If the argument of -a corresponds to the name of a mood for which no files are admissible, the server crashes due to a NULL pointer dereference because mood_load() leaves the mood instance pointer uninitialized although it returns zero, indicating success. This behaviour of mood_load() contradicts the promises made in its documentation. Fix mood_load() by not special-casing the "zero admissible files" case, which even simplifies the code a bit. If all goes well but no files turn out to be admissible, we now open the score table anyway and set the mood pointer to the allocated mood as usual. Since get_statistics() may now be called with zero admissible files, we have to add a check there before dividing by the number of admissible files, Fixes: 2d2637cb4c9ab76fea6bc336b9af88fd00bf5e08 --- mood.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/mood.c b/mood.c index 804fb576..ddd2f1cc 100644 --- a/mood.c +++ b/mood.c @@ -531,6 +531,8 @@ static char *get_statistics(struct mood_instance *m, int64_t sse) unsigned n = m->stats.num; int mean_days, sigma_days; + if (n == 0) + return make_message("no admissible files\n"); mean_days = (sse - m->stats.last_played_sum / n) / 3600 / 24; sigma_days = int_sqrt(m->stats.last_played_qd / n) / 3600 / 24; return make_message( @@ -638,12 +640,6 @@ int mood_load(const char *mood_name, struct mood_instance **result, char **msg) } clock_get_realtime(&rnow); compute_correction_factors(rnow.tv_sec, &aa.m->stats); - if (aa.m->stats.num == 0) { - if (msg) - *msg = make_message("no admissible files\n"); - ret = 0; - goto out; - } if (result) score_open(&aa.m->score_table); for (i = 0; i < aa.m->stats.num; i++) { -- 2.39.5