Ensure callback,method_data and thread_storage are initialized to zero

malloc does not clear the memory it allocates and thus random data can be present. It was observed, that cleanup routines assume, that fields not holding NULL need to be freed for example. That is not true if the field was not cleared on allocation. One such example was callback->arg_classes in free_callback.
matthiasblaesing · Apr 24, 2024 · f69984f · f69984f
1 parent 2db19b3
commit f69984f
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 12 deletions.
diff --git a/native/callback.c b/native/callback.c
@@ -133,19 +133,19 @@ create_callback(JNIEnv* env, jobject obj, jobject method,
   }
   argc = (*env)->GetArrayLength(env, arg_classes);
 
-  cb = (callback *)malloc(sizeof(callback));
+  cb = (callback *)calloc(1, sizeof(callback));
   cb->closure = ffi_closure_alloc(sizeof(ffi_closure), &cb->x_closure);
   cb->saved_x_closure = cb->x_closure;
   cb->object = (*env)->NewWeakGlobalRef(env, obj);
   cb->methodID = (*env)->FromReflectedMethod(env, method);
 
   cb->vm = vm;
-  cb->arg_types = (ffi_type**)malloc(sizeof(ffi_type*) * argc);
-  cb->java_arg_types = (ffi_type**)malloc(sizeof(ffi_type*) * (argc + 3));
-  cb->arg_jtypes = (char*)malloc(sizeof(char) * argc);
-  cb->conversion_flags = (int *)malloc(sizeof(int) * argc);
+  cb->arg_types = (ffi_type**)calloc(argc, sizeof(ffi_type*));
+  cb->java_arg_types = (ffi_type**)calloc(argc + 3, sizeof(ffi_type*));
+  cb->arg_jtypes = (char*)calloc(argc, sizeof(char));
+  cb->conversion_flags = (int *)calloc(argc, sizeof(int));
   cb->rflag = CVT_DEFAULT;
-  cb->arg_classes = (jobject*)malloc(sizeof(jobject) * argc);
+  cb->arg_classes = (jobject*)calloc(argc, sizeof(jobject));
 
   cb->direct = direct;
   cb->java_arg_types[0] = cb->java_arg_types[1] = cb->java_arg_types[2] = &ffi_type_pointer;
@@ -163,6 +163,9 @@ create_callback(JNIEnv* env, jobject obj, jobject method,
     }
 
     jtype = get_java_type(env, cls);
+    if((*env)->ExceptionCheck(env)) {
+      goto failure_cleanup;
+    }
     if (jtype == -1) {
       snprintf(msg, sizeof(msg), "Unsupported callback argument at index %d", i);
       throw_type = EIllegalArgument;
@@ -179,7 +182,13 @@ create_callback(JNIEnv* env, jobject obj, jobject method,
         || cb->conversion_flags[i] == CVT_INTEGER_TYPE) {
       jclass ncls;
       ncls = getNativeType(env, cls);
+      if((*env)->ExceptionCheck(env)) {
+        goto failure_cleanup;
+      }
       jtype = get_java_type(env, ncls);
+      if((*env)->ExceptionCheck(env)) {
+        goto failure_cleanup;
+      }
       if (jtype == -1) {
         snprintf(msg, sizeof(msg), "Unsupported NativeMapped callback argument native type at argument %d", i);
         throw_type = EIllegalArgument;
@@ -560,7 +569,7 @@ static TLS_KEY_T tls_thread_data_key;
 static thread_storage* get_thread_storage(JNIEnv* env) {
   thread_storage* tls = (thread_storage *)TLS_GET(tls_thread_data_key);
   if (tls == NULL) {
-    tls = (thread_storage*)malloc(sizeof(thread_storage));
+    tls = (thread_storage*)calloc(1, sizeof(thread_storage));
     if (!tls) {
       throwByName(env, EOutOfMemory, "JNA: Can't allocate thread storage");
     }

diff --git a/native/dispatch.c b/native/dispatch.c
@@ -3497,7 +3497,7 @@ Java_com_sun_jna_Native_registerMethod(JNIEnv *env, jclass UNUSED(ncls),
   const char* sig = newCStringUTF8(env, signature);
   void *code;
   void *closure;
-  method_data* data = malloc(sizeof(method_data));
+  method_data* data = calloc(1, sizeof(method_data));
   ffi_cif* closure_cif = &data->closure_cif;
   int status;
   int i;
@@ -3519,12 +3519,12 @@ Java_com_sun_jna_Native_registerMethod(JNIEnv *env, jclass UNUSED(ncls),
   }
 
   data->throw_last_error = throw_last_error;
-  data->arg_types = malloc(sizeof(ffi_type*) * argc);
-  data->closure_arg_types = malloc(sizeof(ffi_type*) * (argc + 2));
+  data->arg_types = calloc(argc, sizeof(ffi_type*));
+  data->closure_arg_types = calloc(argc + 2, sizeof(ffi_type*));
   data->closure_arg_types[0] = &ffi_type_pointer;
   data->closure_arg_types[1] = &ffi_type_pointer;
   data->closure_method = NULL;
-  data->flags = cvts ? malloc(sizeof(jint)*argc) : NULL;
+  data->flags = cvts ? calloc(argc, sizeof(jint)) : NULL;
   data->rflag = rconversion;
   data->to_native = NULL;
   data->from_native = from_native ? (*env)->NewWeakGlobalRef(env, from_native) : NULL;
@@ -3612,7 +3612,7 @@ Java_com_sun_jna_Native_ffi_1prep_1cif(JNIEnv *env, jclass UNUSED(cls), jint abi
 JNIEXPORT jlong JNICALL
 Java_com_sun_jna_Native_ffi_1prep_1closure(JNIEnv *env, jclass UNUSED(cls), jlong cif, jobject obj)
 {
-  callback* cb = (callback *)malloc(sizeof(callback));
+  callback* cb = (callback *)calloc(1, sizeof(callback));
   ffi_status s;
 
   if ((*env)->GetJavaVM(env, &cb->vm) != JNI_OK) {