From 2fee779161ec2e978a67b666da38767754c9da1d Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Tue, 28 Apr 2026 12:33:52 +0200
Subject: [PATCH] security: add missing NULL check after calloc in
 sendspin-recv

Memory Safety: Medium

The ring buffer allocation in the sendspin receiver module was not
checked for NULL. If calloc fails (e.g., due to a large stride value
from network-controlled audio format parameters), the code proceeds
to use the NULL pointer, causing a crash.

Also changed calloc(1, size*stride) to calloc(size, stride) so that
calloc itself checks for multiplication overflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/modules/module-sendspin-recv.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/modules/module-sendspin-recv.c b/src/modules/module-sendspin-recv.c
index dff173eb6..793e16441 100644
--- a/src/modules/module-sendspin-recv.c
+++ b/src/modules/module-sendspin-recv.c
@@ -371,7 +371,9 @@ static int create_stream(struct client *client)
 
 	spa_ringbuffer_init(&client->ring);
 	client->buffer_size = 1024 * 1024;
-	client->buffer = calloc(1, client->buffer_size * client->stride);
+	client->buffer = calloc(client->buffer_size, client->stride);
+	if (client->buffer == NULL)
+		return -ENOMEM;
 
 	pw_stream_add_listener(client->stream,
 			&client->stream_listener,