mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-27 06:46:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix missing packet length validation in VBAN audio receive

Browse source 
Memory Safety: High

In vban_audio_receive(), the received buffer is cast to struct
vban_header and its fields are accessed before validating that the
packet is large enough to contain the header. If a truncated packet
shorter than VBAN_HEADER_SIZE is received, this reads past the end
of the buffer.

Additionally, when len < hlen, the plen calculation (len - hlen)
produces a negative ssize_t value which, when used in the unsigned
division plen / stride, gets implicitly converted to a very large
value, potentially causing further out-of-bounds reads.

Fix by checking that len >= VBAN_HEADER_SIZE before accessing the
header.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 17:56:38 +02:00
parent 0ac8b1c5fa
commit 3709cac938
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/modules/module-vban/audio.c
View file

@ -89,11 +89,14 @@ static int vban_audio_receive(struct impl *impl, uint8_t *buffer, ssize_t len)
uint32_t stride = impl->stride; uint32_t stride = impl->stride;
int32_t filled; int32_t filled;
hlen = VBAN_HEADER_SIZE;
if (len < hlen)
return 0;
hdr = (struct vban_header*)buffer; hdr = (struct vban_header*)buffer;
impl->receiving = true; impl->receiving = true;
hlen = VBAN_HEADER_SIZE;
plen = len - hlen; plen = len - hlen;
samples = SPA_MIN(hdr->format_nbs+1, plen / stride); samples = SPA_MIN(hdr->format_nbs+1, plen / stride);