mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix potential buffer over-read in combine-sink name encoding

Browse source 
spa_json_encode_string was called with sizeof(name)-1, which would
not write a null terminator on truncation. Use sizeof(name) and skip
sink names that don't fit in the buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-30 09:27:37 +02:00
parent 912f7f5c64
commit 4a34da368e
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-protocol-pulse/modules/module-combine-sink.c
View file

@ -185,7 +185,9 @@ static int module_combine_sink_load(struct module *module)
} else { } else {
for (i = 0; data->sink_names[i] != NULL; i++) { for (i = 0; data->sink_names[i] != NULL; i++) {
char name[1024]; char name[1024];
spa_json_encode_string(name, sizeof(name)-1, data->sink_names[i]); if (spa_json_encode_string(name, sizeof(name), data->sink_names[i]) >= (int)sizeof(name))
continue;
fprintf(f, " { matches = [ { media.class = \"Audio/Sink\" "); fprintf(f, " { matches = [ { media.class = \"Audio/Sink\" ");
fprintf(f, " node.name = %s } ]", name); fprintf(f, " node.name = %s } ]", name);
fprintf(f, " actions = { create-stream = { } } }"); fprintf(f, " actions = { create-stream = { } } }");