From 3497f451c37f99925328009e3fcbfaaaa16ae0be Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Sun, 29 May 2022 23:35:10 +0200 Subject: [PATCH] batch: Fix crash caused by calling post_func on unused batch entries A null pointer dereference could happen when running with more threads than there were rows in the image, leading to denial of service (crash). Reported by @han0nly via huntr.dev. --- chafa/internal/chafa-batch.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/chafa/internal/chafa-batch.c b/chafa/internal/chafa-batch.c index 9d6a6840..dd72630e 100644 --- a/chafa/internal/chafa-batch.c +++ b/chafa/internal/chafa-batch.c @@ -82,7 +82,12 @@ chafa_process_batches (gpointer ctx, GFunc batch_func, GFunc post_func, gint n_r } if (row_ofs [0] >= row_ofs [1]) + { + /* Save the number of batches actually produced to use in + * post_func loop later. */ + n_batches = i; break; + } batch = &batches [i++]; batch->first_row = row_ofs [0];