QiuYitai/CVE-2025-45331.txt

## CVE-2025-45331.txt
Version：v420.69.1
Discoverer：ZiAo Li <leeziao0331@gmail.com>
Affected Component：src/data_generator.c,static bool br_dagens_handle_once,d
Reference：https://github.com/branc116/brplot/commit/b90e93a0e0d514d48f38d1584496130fa5fe4fe4
Description：
NULL Pointer Dereference vulnerability in br_dagens_handle_once()
The vulnerability happens in br_dagens_handle_once() from src/data_generator.c, when br_data_get1(*datas, cur->group_id); returns a NULL value to br_data_t* d. Then
1. cur->state is set to br_dagen_state_failed
2. On the switch (cur->state) statement, the case br_dagen_state_failed branch is taken. Inside the branch the NULL value d is dereferenced (d->group_id)

static bool br_dagens_handle_once(br_datas_t* datas, br_dagens_t* dagens, br_plots_t* plots) {
  bool any = false;
  for (size_t i = 0; i < dagens->len;) {
    br_dagen_t* cur = &dagens->arr[i];
    br_data_t* d = br_data_get1(*datas, cur->group_id);
    if (NULL == d) cur->state = br_dagen_state_failed;
    else br_dagen_handle(cur, d, *datas);
    switch (cur->state) {
      case br_dagen_state_failed: {
        br_data_clear(datas, plots, d->group_id);
        br_da_remove_at(*dagens, i);
      } break;
      case br_dagen_state_finished: br_da_remove_at(*dagens, i); break;
      case br_dagen_state_inprogress: any = true; ++i; break;
      case br_dagen_state_paused: ++i; break;
      default: BR_ASSERT(0);
    }
  }
  return any;
}
	Version：v420.69.1
	Discoverer：ZiAo Li <leeziao0331@gmail.com>
	Affected Component：src/data_generator.c,static bool br_dagens_handle_once,d
	Reference：https://github.com/branc116/brplot/commit/b90e93a0e0d514d48f38d1584496130fa5fe4fe4
	Description：
	NULL Pointer Dereference vulnerability in br_dagens_handle_once()
	The vulnerability happens in br_dagens_handle_once() from src/data_generator.c, when br_data_get1(datas, cur->group_id); returns a NULL value to br_data_t d. Then
	1. cur->state is set to br_dagen_state_failed
	2. On the switch (cur->state) statement, the case br_dagen_state_failed branch is taken. Inside the branch the NULL value d is dereferenced (d->group_id)

	static bool br_dagens_handle_once(br_datas_t* datas, br_dagens_t* dagens, br_plots_t* plots) {
	bool any = false;
	for (size_t i = 0; i < dagens->len;) {
	br_dagen_t* cur = &dagens->arr[i];
	br_data_t* d = br_data_get1(*datas, cur->group_id);
	if (NULL == d) cur->state = br_dagen_state_failed;
	else br_dagen_handle(cur, d, *datas);
	switch (cur->state) {
	case br_dagen_state_failed: {
	br_data_clear(datas, plots, d->group_id);
	br_da_remove_at(*dagens, i);
	} break;
	case br_dagen_state_finished: br_da_remove_at(*dagens, i); break;
	case br_dagen_state_inprogress: any = true; ++i; break;
	case br_dagen_state_paused: ++i; break;
	default: BR_ASSERT(0);
	}
	}
	return any;
	}
No results found