From a9c27457d17b142620fac49eea738a9a89b41ea1 Mon Sep 17 00:00:00 2001
From: wxmzy88 <138836771+wxmzy88@users.noreply.github.com>
Date: Tue, 26 May 2026 20:18:45 +0800
Subject: [PATCH] libqcdm/commands: Fix null pointer dereference risks in
 memory allocation

Problem:
Two potential null pointer dereference issues exist in code:
1)Direct access to array pointer without checking malloc return value in log_config_get_set_result
2)Access struct member directly without validating calloc result in qcdm_cmd_log_config_new
Solution:
Add NULL check after malloc allocation, return unified error code QCDM_ERROR_RESPONSE_FAILED when memory allocation fails, release created resource before return.
Use internal macro qcdm_return_val_if_fail to verify calloc pointer validity, return 0 as failure result conforming existing code style.
---
 libqcdm/src/commands.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libqcdm/src/commands.c b/libqcdm/src/commands.c
index b78c26b7d..7e9e24d3a 100644
--- a/libqcdm/src/commands.c
+++ b/libqcdm/src/commands.c
@@ -1741,6 +1741,8 @@ qcdm_cmd_log_config_new (char *buf,
     qcdm_return_val_if_fail (len >= cmdsize, 0);
 
     cmd = calloc (1, cmdbufsize);
+    qcdm_return_val_if_fail (cmd != NULL, 0);
+
     cmd->code = DIAG_CMD_LOG_CONFIG;
     cmd->op = htole32 (op);
     cmd->equipid = htole32 (equip_id);
@@ -1877,6 +1879,12 @@ log_config_get_set_result (const char *buf, size_t len, uint32_t op, int *out_er
 
         if (num_result_items) {
             items = malloc (sizeof (*items) * num_result_items);
+            if (!items) {
+                if (out_error)
+                    *out_error = -QCDM_ERROR_RESPONSE_FAILED;
+                qcdm_result_unref (result);
+                return NULL;
+            }
             for (i = 0; i < num_items; i++) {
                 if (LOG_CODE_SET (rsp->u.get_set_items.mask, i))
                     items[count++] = (equipid << 12) | (i & 0x0FFF);