friendlist access (add, delete, ...) causes crashes sometimes

[zoff99]

between those 2 lines m->friendlist may point to old already freed address

c-toxcore/toxcore/Messenger.c

Lines 67 to 73 in 5b14542

	Friend *newfriendlist = (Friend *)realloc(m->friendlist, num * sizeof(Friend));
	if (newfriendlist == nullptr) {
	return -1;
	}
	m->friendlist = newfriendlist;

ToxAV has other threads, so this may be accessed while invalid.

[zoff99]

we must rework all these functions to be safe(r):

m_delfriend()
init_new_friend()
m_addfriend()
realloc_friendlist()
friend_not_valid()
getfriend_id()

[zoff99]

access to invalid (already freed) memory can happen here:

c-toxcore/toxcore/Messenger.c

Line 47 in 5b14542

if (m->friendlist[friendnumber].status != 0) {

and here:

c-toxcore/toxcore/Messenger.c

Line 85 in 5b14542

if (m->friendlist[i].status > 0) {

and a lot of other places

[hugbubby]

Are these exploitable?

[zoff99]

not sure if they are exploitable. but those cause crashes.

#871 #854

[zoff99]

this should be fixed soon. it causes (reported) crashes

[iphydf]

I agree these need to be fixed. In the meantime, you can fix them on the client side with mutexes.

[zoff99]

@iphydf actually no, because they are used in toxav internally