[BUG] Likely `use after free` when looking at setupPin in ContentAppCommandDelegate #30155

andy31415 · 2023-11-01T18:33:47Z

Code is:

if (!value[setupPINFieldId].empty())
{
    getSetupPINresponse.setupPIN = CharSpan::fromCharString(value[setupPINFieldId].asCString());
    // ...

that c-str may not be available once value goes out of scope.
Overall https://github.com/project-chip/connectedhomeip/blob/master/examples/tv-app/android/java/ContentAppCommandDelegate.cpp seems to be using this pattern quite frequently and we should validate if it is safe (and comment on the lifetime of the c_string, as https://open-source-parsers.github.io/jsoncpp-docs/doxygen/class_json_1_1_value.html#a7d99f5dba388cdaa152ce6ef933d64ef says that operator[] just returns a value, so I assume the cstring only lives as long as that value lives.

ALWAYS

android

No response

No response

The text was updated successfully, but these errors were encountered:

andy31415 added bug Something isn't working memory tv TV-related features tv-casting labels Nov 1, 2023

github-project-automation bot added this to [Device Type] TV & Media Nov 1, 2023

github-project-automation bot moved this to Todo in [Device Type] TV & Media Nov 1, 2023

andy31415 mentioned this issue Nov 1, 2023

Move Media::AccountLogin cluster to match the spec #29944

Merged

bzbarsky-apple added the android label Nov 1, 2023

github-project-automation bot added this to [Platform] Android Nov 1, 2023

github-project-automation bot moved this to Todo in [Platform] Android Nov 1, 2023

yunhanw-google assigned yunhanw-google and unassigned yunhanw-google Nov 6, 2023

andy31415 assigned chrisdecenzo Nov 10, 2023

woody-apple added this to the No Target Milestone milestone Nov 27, 2023

Provide feedback