Incorrect error handling of malloc in readOHDRHeaderMessageAttribute (hdf/dataobject.c:1002)

Incorrect handling of the value returned by malloc in case of an allocation error will lead to NULL pointer dereference and segmentation fault error in case of restrictive memory protection or near NULL pointer overwrite in case of no memory restrictions (e.g. in embedded environments).

Vulnerable code (hdf/dataobject.c:1002-1006):

1002:            attr = malloc(sizeof(struct MYSOFA_ATTRIBUTE));
1003:            attr->name = name;
1004:            attr->value = d.string;
1005:            d.string = NULL;
1006:            attr->next = dataobject->attributes;

See following recommendations for details (especially the calloc example): https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors

The issue can be reproduced and tested using ErrorSanitizer (https://gitlab.com/ErrorSanitizer/ErrorSanitizer).

Reproduction steps:

Download and compile ErrorSanitizer (https://gitlab.com/ErrorSanitizer/ErrorSanitizer#compilation)
Set ESAN_PATH to ErrorSanitizer directory export ESAN=/opt/...
Download and unzip attached map temp_377.cur_input temp_377.cur_input.zip
Download, unzip and compile provided libmysofa example test_mysofa_open.c test_mysofa_open.c.zip gcc -c test_mysofa_open.c -o test_mysofa_open.o gcc test_mysofa_open.o ./src/libmysofa.a -lm -lgcov -lz -o test_mysofa_open.elf
Run tested application with ErrorSanitizer using: gdb -batch -ex='run' -ex='backtrace' --args env LD_PRELOAD=$ESAN/error_sanitizer_preload.so ./test_mysofa_open.elf temp_377.cur_input

You should receive similar output:

Program received signal SIGSEGV, Segmentation fault.
0x000055555555f268 in readOHDRHeaderMessageAttribute (reader=0x7fffffffd960, dataobject=0x55555577cf08) at libmysofa-1.1/src/hdf/dataobject.c:1003
1003      attr->name = name;
#0  0x000055555555f268 in readOHDRHeaderMessageAttribute (reader=0x7fffffffd960, dataobject=0x55555577cf08) at libmysofa-1.1/src/hdf/dataobject.c:1003
#1  0x000055555555f9c6 in readOHDRmessages (reader=0x7fffffffd960, dataobject=0x55555577cf08, end_of_messages=12021) at libmysofa-1.1/src/hdf/dataobject.c:1116
#2  0x000055555555fc68 in readOCHK (reader=0x7fffffffd960, dataobject=0x55555577cf08, end=12025) at libmysofa-1.1/src/hdf/dataobject.c:1158
#3  0x000055555555ebbe in readOHDRHeaderMessageContinue (reader=0x7fffffffd960, dataobject=0x55555577cf08) at libmysofa-1.1/src/hdf/dataobject.c:886
#4  0x000055555555fa25 in readOHDRmessages (reader=0x7fffffffd960, dataobject=0x55555577cf08, end_of_messages=6565) at libmysofa-1.1/src/hdf/dataobject.c:1120
#5  0x000055555555ff71 in dataobjectRead (reader=0x7fffffffd960, dataobject=0x55555577cf08, name=0x55555577cc30 "ListenerUp") at libmysofa-1.1/src/hdf/dataobject.c:1207
#6  0x0000555555562513 in directblockRead (reader=0x7fffffffd960, dataobject=0x7fffffffd998, fractalheap=0x7fffffffdab0) at libmysofa-1.1/src/hdf/fractalhead.c:238
#7  0x0000555555563a70 in fractalheapRead (reader=0x7fffffffd960, dataobject=0x7fffffffd998, fractalheap=0x7fffffffdab0) at libmysofa-1.1/src/hdf/fractalhead.c:638
#8  0x0000555555560163 in dataobjectRead (reader=0x7fffffffd960, dataobject=0x7fffffffd998, name=0x0) at libmysofa-1.1/src/hdf/dataobject.c:1232
#9  0x000055555555b6ba in superblockRead2or3 (reader=0x7fffffffd960, superblock=0x7fffffffd970) at libmysofa-1.1/src/hdf/superblock.c:64
#10 0x000055555555bd8f in superblockRead (reader=0x7fffffffd960, superblock=0x7fffffffd970) at libmysofa-1.1/src/hdf/superblock.c:170
#11 0x000055555555ae96 in mysofa_load (filename=0x7fffffffe1dc "temp_377.esn_input", err=0x7fffffffdd2c) at libmysofa-1.1/src/hrtf/reader.c:305
#12 0x0000555555558839 in mysofa_open_default (filename=0x7fffffffe1dc "temp_377.esn_input", samplerate=48000, filterlength=0x7fffffffdd28, err=0x7fffffffdd2c, applyNorm=true, neighbor_angle_step=0.5, neighbor_radius_step=0.00999999978) at libmysofa-1.1/src/hrtf/easy.c:37
#13 0x0000555555558b86 in mysofa_open (filename=0x7fffffffe1dc "temp_377.esn_input", samplerate=48000, filterlength=0x7fffffffdd28, err=0x7fffffffdd2c) at libmysofa-1.1/src/hrtf/easy.c:86
#14 0x0000555555558748 in main ()

hoene / libmysofa

Incorrect error handling of malloc in readOHDRHeaderMessageAttribute (hdf/dataobject.c:1002) #151