mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add missing NULL check after calloc in sendspin-recv

Browse source 
Memory Safety: Medium

The ring buffer allocation in the sendspin receiver module was not
checked for NULL. If calloc fails (e.g., due to a large stride value
from network-controlled audio format parameters), the code proceeds
to use the NULL pointer, causing a crash.

Also changed calloc(1, size*stride) to calloc(size, stride) so that
calloc itself checks for multiplication overflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-28 12:33:52 +02:00
parent e3c20982a8
commit 2fee779161
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-sendspin-recv.c
View file

@ -371,7 +371,9 @@ static int create_stream(struct client *client)
spa_ringbuffer_init(&client->ring); spa_ringbuffer_init(&client->ring);
client->buffer_size = 1024 * 1024; client->buffer_size = 1024 * 1024;
client->buffer = calloc(1, client->buffer_size * client->stride); client->buffer = calloc(client->buffer_size, client->stride);
if (client->buffer == NULL)
return -ENOMEM;
pw_stream_add_listener(client->stream, pw_stream_add_listener(client->stream,
&client->stream_listener, &client->stream_listener,