mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-05 06:46:28 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

remote-node: check memory offsets and size

Browse source 
Check that the metadata, chunks and optionally the buffer data fit in
the memory.
This commit is contained in:
Wim Taymans 2026-05-04 09:20:13 +02:00
parent 7a826b1580
commit 47deb75247
1 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/modules/module-client-node/remote-node.c
View file

@ -667,10 +667,19 @@ client_node_port_use_buffers(void *_data,
for (j = 0; j < b->n_metas; j++) { for (j = 0; j < b->n_metas; j++) {
struct spa_meta *m = &b->metas[j]; struct spa_meta *m = &b->metas[j];
memcpy(m, &buffers[i].buffer->metas[j], sizeof(struct spa_meta)); memcpy(m, &buffers[i].buffer->metas[j], sizeof(struct spa_meta));
if (offset + m->size > mm->size) {
res = -EINVAL;
goto error_exit_cleanup;
}
m->data = SPA_PTROFF(mm->ptr, offset, void); m->data = SPA_PTROFF(mm->ptr, offset, void);
offset += SPA_ROUND_UP_N(m->size, 8); offset += SPA_ROUND_UP_N(m->size, 8);
} }
if (offset + sizeof(struct spa_chunk) * b->n_datas > mm->size) {
res = -EINVAL;
goto error_exit_cleanup;
}
for (j = 0; j < b->n_datas; j++) { for (j = 0; j < b->n_datas; j++) {
struct spa_data *d = &b->datas[j]; struct spa_data *d = &b->datas[j];
@ -701,6 +710,10 @@ client_node_port_use_buffers(void *_data,
j, bm->id, bm->fd, d->maxsize, d->flags); j, bm->id, bm->fd, d->maxsize, d->flags);
} else if (d->type == SPA_DATA_MemPtr) { } else if (d->type == SPA_DATA_MemPtr) {
int offs = SPA_PTR_TO_INT(d->data); int offs = SPA_PTR_TO_INT(d->data);
if (offs < 0 || (uint32_t)offs + d->maxsize > mm->size) {
res = -EINVAL;
goto error_exit_cleanup;
}
d->data = SPA_PTROFF(mm->ptr, offs, void); d->data = SPA_PTROFF(mm->ptr, offs, void);
d->fd = -1; d->fd = -1;
pw_log_debug(" data %d id:%u -> mem:%p offs:%d maxsize:%d flags:%08x", pw_log_debug(" data %d id:%u -> mem:%p offs:%d maxsize:%d flags:%08x",