Skip to content

Fix NULL pointer dereference in freenect_init_registration_table()#697

Open
hirorogo wants to merge 1 commit intoOpenKinect:masterfrom
hirorogo:fix/null-deref-init-registration-table
Open

Fix NULL pointer dereference in freenect_init_registration_table()#697
hirorogo wants to merge 1 commit intoOpenKinect:masterfrom
hirorogo:fix/null-deref-init-registration-table

Conversation

@hirorogo
Copy link
Copy Markdown

@hirorogo hirorogo commented Mar 31, 2026
edited
Loading

Summary

In freenect_init_registration_table() (src/registration.c), two malloc() calls allocate temporary buffers that are immediately passed to memset() and later used for array indexing without NULL checks. If either allocation fails, this causes a NULL pointer dereference. Added a guard clause after both allocations.

PoC

// Reproduction: freenect_init_registration_table NULL dereference
// malloc failure -> memset(NULL, ...) -> crash
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Simulates the buggy init function
int init_registration_table_buggy(int num_pixels) {
    double *reg_pad = (double *)malloc(num_pixels * sizeof(double));
    double *reg_dist = (double *)malloc(num_pixels * sizeof(double));

    // BUG: no NULL check — crashes if malloc returns NULL
    memset(reg_pad, 0, num_pixels * sizeof(double));   // NULL deref
    memset(reg_dist, 0, num_pixels * sizeof(double));   // NULL deref

    // ... array access reg_pad[i], reg_dist[i] ...
    free(reg_pad);
    free(reg_dist);
    return 0;
}

int init_registration_table_fixed(int num_pixels) {
    double *reg_pad = (double *)malloc(num_pixels * sizeof(double));
    double *reg_dist = (double *)malloc(num_pixels * sizeof(double));

    // FIX: NULL check
    if (!reg_pad || !reg_dist) {
        printf("  FIXED: allocation failed, returning safely\n");
        free(reg_pad);
        free(reg_dist);
        return -1;
    }

    memset(reg_pad, 0, num_pixels * sizeof(double));
    memset(reg_dist, 0, num_pixels * sizeof(double));
    free(reg_pad);
    free(reg_dist);
    return 0;
}

int main() {
    // Force malloc failure by requesting absurd size
    size_t huge = (size_t)-1 / 2;

    printf("=== FIXED ===\n");
    init_registration_table_fixed(huge);

    printf("=== BUGGY ===\n");
#ifdef _WIN32
    __try {
        init_registration_table_buggy(huge);
    } __except(1) {
        printf("  ACCESS VIOLATION: NULL pointer dereference confirmed\n");
    }
#endif
    return 0;
}

Output:

=== FIXED ===
  FIXED: allocation failed, returning safely
=== BUGGY ===
  ACCESS VIOLATION: NULL pointer dereference confirmed

Test plan

  • Project builds successfully with the change
  • No functional regression in registration table initialization

@hirorogo @claude
Fix NULL pointer dereference in freenect_init_registration_table()
63719a4 
Add NULL checks after malloc() calls for regtable_dx and regtable_dy.
Previously, if either allocation failed, the code would dereference NULL
pointers in the subsequent memset() and array access operations.

On allocation failure, free any partially allocated buffer and return
early to avoid undefined behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hirorogo