From 43c2b425174bf0c761727038e61508040b8da568 Mon Sep 17 00:00:00 2001
From: Mathieu Eyraud <70028899+meyraud705@users.noreply.github.com>
Date: Tue, 4 Jun 2024 13:45:00 +0200
Subject: [PATCH] Fix stack address escape in
 SDL_CameraDevicePermissionOutcome()

If allocation of 'p' fails, 'pending_tail' points to 'pending'.
---
 src/camera/SDL_camera.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/camera/SDL_camera.c b/src/camera/SDL_camera.c
index 22a08791e5..533943c5c5 100644
--- a/src/camera/SDL_camera.c
+++ b/src/camera/SDL_camera.c
@@ -599,12 +599,14 @@ void SDL_CameraDevicePermissionOutcome(SDL_CameraDevice *device, SDL_bool approv
 
     ReleaseCameraDevice(device);
 
-    SDL_LockRWLockForWriting(camera_driver.device_hash_lock);
-    SDL_assert(camera_driver.pending_events_tail != NULL);
-    SDL_assert(camera_driver.pending_events_tail->next == NULL);
-    camera_driver.pending_events_tail->next = pending.next;
-    camera_driver.pending_events_tail = pending_tail;
-    SDL_UnlockRWLock(camera_driver.device_hash_lock);
+    if (pending.next) {  // NULL if event is disabled or disaster struck.
+        SDL_LockRWLockForWriting(camera_driver.device_hash_lock);
+        SDL_assert(camera_driver.pending_events_tail != NULL);
+        SDL_assert(camera_driver.pending_events_tail->next == NULL);
+        camera_driver.pending_events_tail->next = pending.next;
+        camera_driver.pending_events_tail = pending_tail;
+        SDL_UnlockRWLock(camera_driver.device_hash_lock);
+    }
 }