mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add bounds check for exec argv array in filter-graph

Browse source 
Memory Safety: Medium

The do_exec() function in the filter-graph builtin plugin parses a
JSON array of arguments into a fixed-size argv[512] stack buffer
without checking whether argc exceeds the array bounds. A crafted
filter-graph configuration with more than 511 arguments would cause
a stack buffer overflow.

Add a bounds check before each insertion to ensure argc stays within
the array limits, reserving space for the NULL terminator.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-28 10:24:25 +02:00
parent 9f3d894c10
commit 026ae3af7a
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spa/plugins/filter-graph/plugin_builtin.c
View file

@ -2942,6 +2942,10 @@ static int do_exec(struct pipe_impl *impl, const char *command)
while ((len = spa_json_next(&it[0], &value)) > 0) { while ((len = spa_json_next(&it[0], &value)) > 0) {
char *s; char *s;
if (argc >= (int)SPA_N_ELEMENTS(argv) - 1) {
spa_log_error(impl->log, "too many exec arguments");
return -E2BIG;
}
if ((s = malloc(len+1)) == NULL) if ((s = malloc(len+1)) == NULL)
return -errno; return -errno;