From 1a690a0cbbf5691c299b13d1fe8518da2bb52f22 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 17 Dec 2020 19:39:12 +0100
Subject: [PATCH] pulse-server: limit writes to ringbuffer

We can't write more to the ringbuffer than its maxsize. Some clients
send more than the negotiated maxsize and cause a crash if we don't
clamp.

See #440
---
 src/modules/module-protocol-pulse/pulse-server.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c
index d131c0519..dee6031c3 100644
--- a/src/modules/module-protocol-pulse/pulse-server.c
+++ b/src/modules/module-protocol-pulse/pulse-server.c
@@ -1488,11 +1488,12 @@ static void stream_process(void *data)
 					stream, client->name, pd.write_index, filled,
 					size, stream->attr.maxlength);
 		}
+
 		spa_ringbuffer_write_data(&stream->ring,
 				stream->buffer, stream->attr.maxlength,
 				pd.write_index % stream->attr.maxlength,
 				SPA_MEMBER(p, buf->datas[0].chunk->offset, void),
-				size);
+				SPA_MIN(size, stream->attr.maxlength));
 
 		pd.write_index += size;
 		spa_ringbuffer_write_update(&stream->ring, pd.write_index);
@@ -4792,12 +4793,14 @@ static int handle_memblock(struct client *client, struct message *msg)
 		/* overrun */
 		send_overflow(stream);
 	}
+
 	/* always write data to ringbuffer, we expect the other side
 	 * to recover */
 	spa_ringbuffer_write_data(&stream->ring,
 			stream->buffer, stream->attr.maxlength,
 			index % stream->attr.maxlength,
-			msg->data, msg->length);
+			msg->data,
+			SPA_MIN(msg->length, stream->attr.maxlength));
 	stream->write_index = index + msg->length;
 	spa_ringbuffer_write_update(&stream->ring, stream->write_index);
 	stream->requested -= msg->length;