sofa-pbrpc icon indicating copy to clipboard operation
sofa-pbrpc copied to clipboard
verified publisher icon baidu

Fix a null pointer dereference bug in function parse_msg

Open mugitya03 opened this issue 10 months ago • 0 comments

Explanation of the bug

The function parse_msg may return a null value.

static rapidjson::Value* parse_msg(const Message *msg, rapidjson::Value::AllocatorType& allocator)
{
    const Descriptor *d = msg->GetDescriptor();
    if (!d)
        return NULL;
    size_t count = d->field_count();
    rapidjson::Value* root = new rapidjson::Value(rapidjson::kObjectType);
    if (!root)
        return NULL;
    ...

In function field2json, the return value from parse_msg at line 214 is assigned to the pointer json and returned to the caller at line 235.

            else
            {
                const Message *value = &(ref->GetMessage(*msg, field));
                json = parse_msg(value, allocator);                  // propagate to the pointer json
            }
            break;
        default:
            break;
    }
    return json;         // return to caller function

Then, in function parse_msg, the return value from field2json at line 269 is assigned to field_json and dereferenced without null check at line 270, causing a null pointer dereference bug.

            rapidjson::Value* field_json = field2json(msg, field, allocator);
            root->AddMember(name, *field_json, allocator);                 // NPD here
            delete field_json;

Fix

I add a null check after calling the function field2json.

mugitya03 avatar Mar 10 '25 01:03 mugitya03