mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-05 13:30:02 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

SPA POD parser: fix several integer overflows

Browse source 
This fixes several integer overflow problems in the POD parser, as well
as fixing a returns-twice warning from GCC and integer truncation
problems in SPA_FLAG_CLEAR and SPA_ROUND_DOWN_N.  The integer overflows
can result in a tiny POD being treated as a huge one, causing
out-of-bounds reads.
This commit is contained in:
Demi Marie Obenour 2022-07-30 13:10:19 -04:00 committed by Wim Taymans
parent 0e4df09e53
commit 1e848fc299
7 changed files with 59 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/modules/module-protocol-native/defs.h
View file

@ -31,13 +31,19 @@ int pw_protocol_native_connect_portal_screencast(struct pw_protocol_client *clie
void (*done_callback) (void *data, int res),
void *data);
static inline void *get_first_pod_from_data(void *data, size_t maxsize, off_t offset)
static inline void *get_first_pod_from_data(void *data, uint32_t maxsize, uint64_t offset)
{
void *pod;
if (offset + sizeof(struct spa_pod) > maxsize)
if (maxsize <= offset)
return NULL;
/* spa_pod_parser_advance() rounds up, so round down here to compensate */
maxsize = SPA_ROUND_DOWN_N(maxsize - offset, 8);
if (maxsize < sizeof(struct spa_pod))
return NULL;
pod = SPA_PTROFF(data, offset, void);
if (offset + SPA_POD_SIZE(pod) > maxsize)
if (SPA_POD_BODY_SIZE(pod) > maxsize - sizeof(struct spa_pod))
return NULL;
return pod;
}