security: fix unchecked alloca in pulse-server property list handling

Memory Safety: Medium

fill_card_info() uses pi->n_props from port info for an alloca()
without bounds checking. A card object with many port properties can
similarly exhaust the stack.

Add MAX_ALLOCA_SIZE checks consistent with the existing pattern to
prevent stack overflow from large property counts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 14:12:50 +02:00
parent 42c0df1a47
commit 1302cbd08d

View file

@ -3650,7 +3650,8 @@ static int fill_card_info(struct client *client, struct message *m,
pi = &port_info[n]; pi = &port_info[n];
if (pi->info && pi->n_props > 0) { if (pi->info && pi->n_props > 0 &&
pi->n_props <= MAX_ALLOCA_SIZE / sizeof(*items)) {
items = alloca(pi->n_props * sizeof(*items)); items = alloca(pi->n_props * sizeof(*items));
pdict = collect_props(pi->info, &dict, items, pi->n_props); pdict = collect_props(pi->info, &dict, items, pi->n_props);
} }