From 06df127ad9c92b193deaada5ad22e921e6863db3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Barnab=C3=A1s=20P=C5=91cze?= <pobrn@protonmail.com>
Date: Fri, 3 Feb 2023 22:44:32 +0100
Subject: [PATCH] pipewire: mem: refuse invalid file mapping

Refuse to map a file if the specified `offset + size` would
be bigger than the size of the file. This prevents receiving
SIGBUS when the consumer tries to make an incorrect mapping.

See #2617 #2914 #3007
---
 src/pipewire/mem.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/pipewire/mem.c b/src/pipewire/mem.c
index ae9e1e46c..dbf107b07 100644
--- a/src/pipewire/mem.c
+++ b/src/pipewire/mem.c
@@ -33,6 +33,7 @@
 #include <unistd.h>
 #include <stdlib.h>
 #include <sys/syscall.h>
+#include <sys/stat.h>
 
 #include <spa/utils/list.h>
 #include <spa/buffer/buffer.h>
@@ -363,6 +364,23 @@ struct pw_memmap * pw_memblock_map(struct pw_memblock *block,
 	struct mapping *m;
 	struct memmap *mm;
 	struct pw_map_range range;
+	struct stat sb;
+
+	if (fstat(b->this.fd, &sb) != 0)
+		return NULL;
+
+	const bool valid = (int64_t) offset + size <= (int64_t) sb.st_size;
+	pw_log(valid ? SPA_LOG_LEVEL_DEBUG : SPA_LOG_LEVEL_ERROR,
+		"%p: block %p[%u] mapping %" PRIu32 "+%" PRIu32 " of file=%d/%" PRIu64 ":%" PRIu64 " with size=%" PRId64,
+		block->pool, block, block->id,
+		offset, size,
+		block->fd, (uint64_t) sb.st_dev, (uint64_t) sb.st_ino,
+		(int64_t) sb.st_size);
+
+	if (!valid) {
+		errno = -EINVAL;
+		return NULL;
+	}
 
 	pw_map_range_init(&range, offset, size, p->pagesize);