Fix null pointer dereference on malloc failure in registration

[hirorogo]

Summary

freenect_init_registration_table() in src/registration.c calls malloc() twice (lines 289-290) to allocate regtable_dx and regtable_dy, then immediately passes the results to memset() (lines 291-292) without checking for NULL. If either allocation fails, memset() dereferences a null pointer, causing a segfault.

Fix

• Added a NULL check after each malloc() call
• If the first allocation fails, return immediately
• If the second allocation fails, free the first allocation before returning
• This is a minimal, safe fix that prevents the null pointer dereference

PoC

#include <cstdio>
#include <cstdlib>
#include <cstring>

// Reproduction of the vulnerable code pattern from registration.c L289-292
void freenect_init_registration_table_buggy() {
    // Simulate malloc failure
    double* regtable_dx = NULL;  // malloc fails
    double* regtable_dy = (double*)malloc(640 * 480 * sizeof(double));

    // Original code: no NULL check before memset
    memset(regtable_dx, 0, 640 * 480 * sizeof(double));  // CRASH
    memset(regtable_dy, 0, 640 * 480 * sizeof(double));

    free(regtable_dy);
}

int main() {
    __try {
        freenect_init_registration_table_buggy();
    }
    __except(1) {
        printf("ACCESS VIOLATION: NULL pointer dereference in memset confirmed\n");
    }
    return 0;
}

Result:

ACCESS VIOLATION: NULL pointer dereference in memset confirmed

How it was found

This bug was identified as PROP-N4-npd-005 during a SPECA security audit.