mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2026-04-27 06:46:48 -04:00
security: fix inverted overflow check in RTP MIDI message size parsing
Memory Safety: High In get_midi_size(), the overflow check for SysEx and meta-event message sizes has the comparison operator inverted. The check (unsigned int)(INT_MAX - size - 1) > value rejects small (safe) payload sizes and accepts large sizes that cause signed integer overflow in the subsequent size += (int)value + 1. This means all SysEx messages (0xF0, 0xF7) and system reset/meta events (0xFF) with valid payloads are incorrectly rejected, while crafted packets with very large variable-length values bypass the check. Although the caller has a secondary bounds check that mitigates most exploitation, the inverted check is both a functional bug (breaks SysEx over RTP) and a defense-in-depth failure. Fix by swapping the operands so that the check correctly rejects values that would overflow: value > (unsigned int)(INT_MAX - size - 1). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans
parent
7a969654f6
commit
4c9ec363a3
1 changed files with 1 additions and 1 deletions
|
|
@ -134,7 +134,7 @@ static int get_midi_size(uint8_t *p, uint32_t avail)
|
||||||
case 0xf7:
|
case 0xf7:
|
||||||
if ((size = parse_varlen(&p[offs], avail - offs, &value)) < 0)
|
if ((size = parse_varlen(&p[offs], avail - offs, &value)) < 0)
|
||||||
return size;
|
return size;
|
||||||
if ((unsigned int)(INT_MAX - size - 1) > value)
|
if (value > (unsigned int)(INT_MAX - size - 1))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
size += (int)value + 1;
|
size += (int)value + 1;
|
||||||
break;
|
break;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue