mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix missing NULL check and integer overflow in AVB ringbuffer

Browse source 
Memory Safety: Medium

The AVB PCM ringbuffer allocation used calloc(1, size * 4) which has
two issues: the multiplication can overflow for large ringbuffer_size
values (derived from quantum_limit config parameter), and the return
value was never checked for NULL.

Fixed by using calloc(size, 4) which lets calloc check for overflow
internally, and added a NULL check for the allocation result.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-28 12:35:25 +02:00
parent bf614354cc
commit 1de8615caf
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spa/plugins/avb/avb-pcm.c
View file

@ -407,7 +407,9 @@ int spa_avb_init(struct state *state, const struct spa_dict *info)
}
state->ringbuffer_size = state->quantum_limit * 64;
state->ringbuffer_data = calloc(1, state->ringbuffer_size * 4);
state->ringbuffer_data = calloc(state->ringbuffer_size, 4);
if (state->ringbuffer_data == NULL)
return -ENOMEM;
spa_ringbuffer_init(&state->ring);
return 0;
}