mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-27 06:46:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix integer overflow in pw_reallocarray fallback path

Browse source 
Memory Safety: High

When the system does not provide reallocarray(), pw_reallocarray()
falls back to realloc(ptr, nmemb * size). The multiplication
nmemb * size can silently overflow, causing a smaller-than-expected
allocation. Subsequent writes to the allocation then overflow the
heap buffer.

This function is used extensively throughout PipeWire for allocating
arrays from protocol data, making it a wide attack surface.

Fix by adding an explicit overflow check before the multiplication
in the fallback path, matching the behavior of the real
reallocarray().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 17:57:22 +02:00
parent d4ec630b2f
commit 18df76b654
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/pipewire/utils.c
View file

@ -368,6 +368,10 @@ void* pw_reallocarray(void *ptr, size_t nmemb, size_t size)
#ifdef HAVE_REALLOCARRAY #ifdef HAVE_REALLOCARRAY
return reallocarray(ptr, nmemb, size); return reallocarray(ptr, nmemb, size);
#else #else
if (size > 0 && nmemb > SIZE_MAX / size) {
errno = ENOMEM;
return NULL;
}
return realloc(ptr, nmemb * size); return realloc(ptr, nmemb * size);
#endif #endif
} }