mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: use overflow-safe arithmetic for NetJack2 MIDI buffer sizes

Browse source 
Memory Safety: High

The recv_midi function calculated MIDI buffer usage from network packet
fields (event_count, write_pos) using plain arithmetic that could
overflow on 32-bit platforms. A crafted NetJack2 packet with a large
event_count could wrap the size_t multiplication, bypassing the bounds
check and causing out-of-bounds memory access. Replaced with
spa_overflow_mul/spa_overflow_add to detect overflow before use.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 11:27:34 +02:00
parent 6efaf12d00
commit 0bd9a4d033
1 changed files with 5 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/modules/module-netjack2/peer.c
View file

@ -815,13 +815,14 @@ static int netjack2_recv_midi(struct netjack2_peer *peer, struct nj2_packet_head
for (i = 0; i < active_ports; i++) {
struct nj2_midi_buffer *mbuf = (struct nj2_midi_buffer *)midi_data;
size_t used, events_size;
nj2_midi_buffer_ntoh(mbuf, mbuf);
size_t used = sizeof(*mbuf)
+ mbuf->event_count * sizeof(struct nj2_midi_event)
+ mbuf->write_pos;
if (used < sizeof(*mbuf) || used > midi_size)
if (spa_overflow_mul((size_t)mbuf->event_count, sizeof(struct nj2_midi_event), &events_size) ||
spa_overflow_add(events_size, (size_t)mbuf->write_pos, &used) ||
spa_overflow_add(used, sizeof(*mbuf), &used) ||
used > midi_size)
break;
if (i < n_info && info[i].data != NULL) {