mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-25 06:46:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix unbounded sprintf in pw_conf_save_state

Browse source 
Memory Safety: Low

sprintf was used to format a temporary filename into an alloca'd
buffer. While the buffer was correctly sized (strlen + 5), using
snprintf with an explicit size makes the bound check enforceable
and prevents potential overflow if the sizing logic is modified
in the future.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 14:38:55 +02:00
parent 46e732c28b
commit 329e0ddb02
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/pipewire/conf.c
View file

@ -358,8 +358,9 @@ int pw_conf_save_state(const char *prefix, const char *name, const struct pw_pro
if ((sfd = open_write_dir(path, sizeof(path), prefix)) < 0) if ((sfd = open_write_dir(path, sizeof(path), prefix)) < 0)
return sfd; return sfd;
tmp_name = alloca(strlen(name)+5); size_t tmp_name_size = strlen(name) + 5;
sprintf(tmp_name, "%s.tmp", name); tmp_name = alloca(tmp_name_size);
snprintf(tmp_name, tmp_name_size, "%s.tmp", name);
if ((fd = openat(sfd, tmp_name, O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC, 0600)) < 0) { if ((fd = openat(sfd, tmp_name, O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC, 0600)) < 0) {
res = -errno; res = -errno;
pw_log_error("can't open file '%s': %m", tmp_name); pw_log_error("can't open file '%s': %m", tmp_name);