mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-02 06:46:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix unchecked write_event return value in RTP MIDI

Browse source 
Memory Safety: Critical

write_event() returns a negative int on error (-ENOSPC or -ERANGE),
but its return value was added directly to the uint32_t len variable
without checking. A negative return value would wrap len to a very
large number due to unsigned integer conversion, causing subsequent
buffer writes to go far out of bounds. This could lead to stack
corruption and potential code execution.

Fix by checking the return value of write_event() before using it.
If write_event() fails, abort the flush operation safely.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 13:32:31 +02:00
parent 739e2d1107
commit 110495ed9f
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/modules/module-rtp/midi.c
View file

@ -471,9 +471,15 @@ static void rtp_midi_flush_packets(struct impl *impl,
memcpy(&impl->buffer[len], data, size);
len += size;
} else {
int res;
delta = offset - prev_offset;
prev_offset = offset;
len += write_event(&impl->buffer[len], BUFFER_SIZE - len, delta, data, size);
res = write_event(&impl->buffer[len], BUFFER_SIZE - len, delta, data, size);
if (res < 0) {
pw_log_warn("write_event error: %d", res);
return;
}
len += res;
}
}
if (len > 0) {