mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-25 21:38:32 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix crash and overflow bugs in network-facing modules

Browse source 
module-filter-chain: fix NULL pointer dereference when
pw_stream_dequeue_buffer returns NULL and out->requested is
accessed outside the NULL check.

module-zeroconf-discover: add NULL checks for name, type,
host_name, address, and port from mDNS lookups that could be
missing in malformed announcements.

module-raop-sink: cap net.mtu to 9000 to prevent stack overflow
via VLA uint32_t out[8 + mtu].

module-rtp-sap: fix buffer over-read in SDP "i=" line parsing
that read past a self-inserted null terminator. Also fix fd leak
when fd is 0 (fd > 0 should be fd >= 0).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-30 18:38:19 +02:00
parent c551408ec2
commit 4b64b81d21
4 changed files with 28 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/modules/module-zeroconf-discover.c
View file

@ -241,6 +241,8 @@ static void on_zeroconf_added(void *data, const void *user_data, const struct sp
name = spa_dict_lookup(info, PW_KEY_ZEROCONF_NAME);
type = spa_dict_lookup(info, PW_KEY_ZEROCONF_TYPE);
if (name == NULL || type == NULL)
goto done;
mode = strstr(type, "sink") ? "sink" : "source";
tinfo = TUNNEL_INFO(.name = name, .mode = mode);
@ -267,6 +269,8 @@ static void on_zeroconf_added(void *data, const void *user_data, const struct sp
pw_properties_from_zeroconf(it->key, it->value, props);
host_name = spa_dict_lookup(info, PW_KEY_ZEROCONF_HOSTNAME);
if (host_name == NULL)
host_name = "unknown";
if ((device = pw_properties_get(props, PW_KEY_TARGET_OBJECT)) != NULL)
pw_properties_setf(props, PW_KEY_NODE_NAME,
@ -277,9 +281,14 @@ static void on_zeroconf_added(void *data, const void *user_data, const struct sp
pw_properties_set(props, "tunnel.mode", mode);
pw_properties_setf(props, "pulse.server.address", " [%s]:%s",
spa_dict_lookup(info, PW_KEY_ZEROCONF_ADDRESS),
spa_dict_lookup(info, PW_KEY_ZEROCONF_PORT));
{
const char *address = spa_dict_lookup(info, PW_KEY_ZEROCONF_ADDRESS);
const char *port = spa_dict_lookup(info, PW_KEY_ZEROCONF_PORT);
if (address == NULL || port == NULL)
goto done;
pw_properties_setf(props, "pulse.server.address", " [%s]:%s",
address, port);
}
desc = pw_properties_get(props, "tunnel.remote.description");
if (desc == NULL)
@ -349,6 +358,8 @@ static void on_zeroconf_removed(void *data, const void *user, const struct spa_d
name = spa_dict_lookup(info, PW_KEY_ZEROCONF_NAME);
type = spa_dict_lookup(info, PW_KEY_ZEROCONF_TYPE);
if (name == NULL || type == NULL)
return;
mode = strstr(type, "sink") ? "sink" : "source";
tinfo = TUNNEL_INFO(.name = name, .mode = mode);