NULL pointer dereference in libpff_record_entry_get_multi_value (wrong NULL check variable)

NULL pointer write in `libpff_record_entry_get_multi_value()` at `libpff_record_entry.c:2840`. Copy-paste bug: line 2793 checks `value_offset` instead of `value_size` after allocating `value_size`.

**Commit**: `06f239d` | **CWE**: CWE-476

### Bug

```c
// libpff_record_entry.c:2790-2793
internal_multi_value->value_size = (size_t *) memory_allocate(
    sizeof( size_t ) * internal_multi_value->number_of_values );

if( internal_multi_value->value_offset == NULL )  // BUG: should be value_size
```

If `value_size` allocation fails, NULL is never caught → dereferenced at line 2840. On 64-bit, `value_size` alloc is 2x larger than `value_offset` (`sizeof(size_t)=8` vs `sizeof(uint32_t)=4`), so a large `number_of_values` can fail one but not the other.

### ASAN

```
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
==1==The signal is caused by a WRITE memory access.
    #0 in libpff_record_entry_get_multi_value libpff_record_entry.c:2840
SUMMARY: AddressSanitizer: SEGV libpff_record_entry.c:2840
```

### Fix

```diff
-if( internal_multi_value->value_offset == NULL )
+if( internal_multi_value->value_size == NULL )
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NULL pointer dereference in libpff_record_entry_get_multi_value (wrong NULL check variable) #153

Bug

ASAN

Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

NULL pointer dereference in libpff_record_entry_get_multi_value (wrong NULL check variable) #153

Description

Bug

ASAN

Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions