From 1de8615cafdacfeedab115c945a40856075a2b75 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 28 Apr 2026 12:35:25 +0200 Subject: [PATCH] security: fix missing NULL check and integer overflow in AVB ringbuffer Memory Safety: Medium The AVB PCM ringbuffer allocation used calloc(1, size * 4) which has two issues: the multiplication can overflow for large ringbuffer_size values (derived from quantum_limit config parameter), and the return value was never checked for NULL. Fixed by using calloc(size, 4) which lets calloc check for overflow internally, and added a NULL check for the allocation result. Co-Authored-By: Claude Opus 4.6 --- spa/plugins/avb/avb-pcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/spa/plugins/avb/avb-pcm.c b/spa/plugins/avb/avb-pcm.c index 5585cb141..e1f2b0a8c 100644 --- a/spa/plugins/avb/avb-pcm.c +++ b/spa/plugins/avb/avb-pcm.c @@ -407,7 +407,9 @@ int spa_avb_init(struct state *state, const struct spa_dict *info) } state->ringbuffer_size = state->quantum_limit * 64; - state->ringbuffer_data = calloc(1, state->ringbuffer_size * 4); + state->ringbuffer_data = calloc(state->ringbuffer_size, 4); + if (state->ringbuffer_data == NULL) + return -ENOMEM; spa_ringbuffer_init(&state->ring); return 0; }