mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-12-28 08:57:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

SPA POD parser: fix several integer overflows

Browse source 
This fixes several integer overflow problems in the POD parser, as well
as fixing a returns-twice warning from GCC and integer truncation
problems in SPA_FLAG_CLEAR and SPA_ROUND_DOWN_N.  The integer overflows
can result in a tiny POD being treated as a huge one, causing
out-of-bounds reads.
This commit is contained in:
Demi Marie Obenour 2022-07-30 13:10:19 -04:00 committed by Wim Taymans
parent 0e4df09e53
commit 1e848fc299
7 changed files with 59 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

3
spa/include/spa/buffer/alloc.h
View file

@ -161,8 +161,9 @@ static inline int spa_buffer_alloc_fill_info(struct spa_buffer_alloc_info *info,
*target += info->chunk_size;
for (i = 0, size = 0; i < n_datas; i++) {
int64_t align = data_aligns[i];
info->max_align = SPA_MAX(info->max_align, data_aligns[i]);
size = SPA_ROUND_UP_N(size, data_aligns[i]);
size = SPA_ROUND_UP_N(size, align);
size += datas[i].maxsize;
}
info->data_size = size;