NULL pointer write in libpff_record_entry_get_multi_value() at libpff_record_entry.c:2840. Copy-paste bug: line 2793 checks value_offset instead of value_size after allocating value_size.
Commit: 06f239d | CWE: CWE-476
Bug
// libpff_record_entry.c:2790-2793
internal_multi_value->value_size = (size_t *) memory_allocate(
sizeof( size_t ) * internal_multi_value->number_of_values );
if( internal_multi_value->value_offset == NULL ) // BUG: should be value_sizeIf value_size allocation fails, NULL is never caught → dereferenced at line 2840. On 64-bit, value_size alloc is 2x larger than value_offset (sizeof(size_t)=8 vs sizeof(uint32_t)=4), so a large number_of_values can fail one but not the other.
ASAN
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
==1==The signal is caused by a WRITE memory access.
#0 in libpff_record_entry_get_multi_value libpff_record_entry.c:2840
SUMMARY: AddressSanitizer: SEGV libpff_record_entry.c:2840
Fix
-if( internal_multi_value->value_offset == NULL )
+if( internal_multi_value->value_size == NULL )
NULL pointer write in
libpff_record_entry_get_multi_value()atlibpff_record_entry.c:2840. Copy-paste bug: line 2793 checksvalue_offsetinstead ofvalue_sizeafter allocatingvalue_size.Commit:
06f239d| CWE: CWE-476Bug
If
value_sizeallocation fails, NULL is never caught → dereferenced at line 2840. On 64-bit,value_sizealloc is 2x larger thanvalue_offset(sizeof(size_t)=8vssizeof(uint32_t)=4), so a largenumber_of_valuescan fail one but not the other.ASAN
Fix