From 026ae3af7ab3007a5167093b86d3be59b2f0eaad Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 28 Apr 2026 10:24:25 +0200 Subject: [PATCH] security: add bounds check for exec argv array in filter-graph Memory Safety: Medium The do_exec() function in the filter-graph builtin plugin parses a JSON array of arguments into a fixed-size argv[512] stack buffer without checking whether argc exceeds the array bounds. A crafted filter-graph configuration with more than 511 arguments would cause a stack buffer overflow. Add a bounds check before each insertion to ensure argc stays within the array limits, reserving space for the NULL terminator. Co-Authored-By: Claude Opus 4.6 --- spa/plugins/filter-graph/plugin_builtin.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/spa/plugins/filter-graph/plugin_builtin.c b/spa/plugins/filter-graph/plugin_builtin.c index fca5c1016..131e9a165 100644 --- a/spa/plugins/filter-graph/plugin_builtin.c +++ b/spa/plugins/filter-graph/plugin_builtin.c @@ -2942,6 +2942,10 @@ static int do_exec(struct pipe_impl *impl, const char *command) while ((len = spa_json_next(&it[0], &value)) > 0) { char *s; + if (argc >= (int)SPA_N_ELEMENTS(argv) - 1) { + spa_log_error(impl->log, "too many exec arguments"); + return -E2BIG; + } if ((s = malloc(len+1)) == NULL) return -errno;