From 110495ed9f0559407b944db7887f7348da9b96df Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 13:32:31 +0200 Subject: [PATCH] security: fix unchecked write_event return value in RTP MIDI Memory Safety: Critical write_event() returns a negative int on error (-ENOSPC or -ERANGE), but its return value was added directly to the uint32_t len variable without checking. A negative return value would wrap len to a very large number due to unsigned integer conversion, causing subsequent buffer writes to go far out of bounds. This could lead to stack corruption and potential code execution. Fix by checking the return value of write_event() before using it. If write_event() fails, abort the flush operation safely. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-rtp/midi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/modules/module-rtp/midi.c b/src/modules/module-rtp/midi.c index 5e13750f1..793fa3c85 100644 --- a/src/modules/module-rtp/midi.c +++ b/src/modules/module-rtp/midi.c @@ -471,9 +471,15 @@ static void rtp_midi_flush_packets(struct impl *impl, memcpy(&impl->buffer[len], data, size); len += size; } else { + int res; delta = offset - prev_offset; prev_offset = offset; - len += write_event(&impl->buffer[len], BUFFER_SIZE - len, delta, data, size); + res = write_event(&impl->buffer[len], BUFFER_SIZE - len, delta, data, size); + if (res < 0) { + pw_log_warn("write_event error: %d", res); + return; + } + len += res; } } if (len > 0) {