From 340ec2464ee6954db765b0f8dc6d0c0be0a55d2d Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 18 Aug 2024 19:50:44 -0400 Subject: [PATCH] pod: check that padding is zeroed This checks that padding is zeroed in the SPA POD parser. Non-zero padding is likely an indicator of a bug in the sender, especially one that leaks uninitialized memory. --- spa/include/spa/pod/parser.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/spa/include/spa/pod/parser.h b/spa/include/spa/pod/parser.h index a3a5527bc..cd441d5d8 100644 --- a/spa/include/spa/pod/parser.h +++ b/spa/include/spa/pod/parser.h @@ -80,8 +80,13 @@ spa_pod_parser_deref(struct spa_pod_parser *parser, uint32_t offset, uint32_t si * to the next multiple of 8) is in bounds. */ if (SPA_IS_ALIGNED(pod, SPA_POD_ALIGN) && - long_offset + SPA_ROUND_UP_N((uint64_t)SPA_POD_BODY_SIZE(pod), SPA_POD_ALIGN) <= size) - return (struct spa_pod *)pod; + long_offset + SPA_ROUND_UP_N((uint64_t)SPA_POD_BODY_SIZE(pod), SPA_POD_ALIGN) <= size) { + uint64_t zero = 0; + size_t padding = SPA_POD_BODY_SIZE(pod) & 7; + if (padding == 0 || + memcmp(SPA_PTROFF(pod, SPA_POD_SIZE(pod), void), &zero, 8 - padding) == 0) + return (struct spa_pod *)pod; + } } return NULL; }