The desc_create() function calls parse_flags() with explicitly
NULL 'props' and 'ext_props' pointer arguments. The parse_flags()
function then in turn hands these to parse_chrc_flags(), which
dereferences them unconditionally.
This adds explicit NULL checks in the internal parsing routines,
returning a failure code.
---
src/gatt-database.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/gatt-database.c b/src/gatt-database.c
index 90cc4bade..fa3d79aab 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -1597,7 +1597,11 @@ static bool parse_chrc_flags(DBusMessageIter
*array, uint8_t *props,
{
const char *flag;
- *props = *ext_props = 0;
+ if (!props || ! ext_props)
+ return false;
+
+ *props = 0;
+ *ext_props = 0;
do {
if (dbus_message_iter_get_arg_type(array) != DBUS_TYPE_STRING)
@@ -1673,6 +1677,9 @@ static bool parse_desc_flags(DBusMessageIter
*array, uint32_t *perm,
{
const char *flag;
+ if (!perm)
+ return false;
+
*perm = 0;
do {
--
2.29.2.windows.2
