mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: cap alloca size in JSON-to-POD string conversion

Browse source 
Memory Safety: Medium

spa_json_to_pod_part() uses alloca(len+1) to allocate a stack buffer
for JSON string values, where len comes from the JSON parser. Since
this function is recursive (for nested JSON objects/arrays), a
crafted JSON document with large string values can cause stack
exhaustion through unbounded alloca calls.

Add a size check capping the alloca to 8192 bytes, which is generous
for all legitimate PipeWire configuration values (type names, IDs,
property strings) while preventing stack overflow from malicious or
malformed JSON input.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-28 10:25:08 +02:00
parent 39ac8cf996
commit 06421554d3
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
spa/include/spa/utils/json-pod.h
View file

@ -121,7 +121,10 @@ SPA_API_JSON_POD int spa_json_to_pod_part(struct spa_pod_builder *b, uint32_t fl
spa_pod_builder_none(b); spa_pod_builder_none(b);
} }
else { else {
char *val = (char*)alloca(len+1); char *val;
if (len > 8192)
return -ENOSPC;
val = (char*)alloca(len+1);
spa_json_parse_stringn(value, len, val, len+1); spa_json_parse_stringn(value, len, val, len+1);
switch (info ? info->parent : (uint32_t)SPA_TYPE_Struct) { switch (info ? info->parent : (uint32_t)SPA_TYPE_Struct) {
case SPA_TYPE_Id: case SPA_TYPE_Id: