mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-10-29 05:40:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pod: avoid use-after-free error because of reallocation

Browse source 
When the pod to filter is in the target builder memory and reallocation
is needed, make sure we refer to the filter in the reallocated memory
instead of the old freed memory.

Fixes #4445
This commit is contained in:
Wim Taymans 2025-02-25 13:18:37 +01:00
parent fb4475b5da
commit 54836736b0
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
spa/include/spa/pod/builder.h
View file

@ -128,16 +128,25 @@ SPA_API_POD_BUILDER int spa_pod_builder_raw(struct spa_pod_builder *builder, con
int res = 0;
struct spa_pod_frame *f;
uint32_t offset = builder->state.offset;
size_t data_offset = -1;
if (offset + size > builder->size) {
/* data could be inside the data we will realloc */
if (spa_ptrinside(builder->data, builder->size, data, size, NULL))
data_offset = SPA_PTRDIFF(data, builder->data);
res = -ENOSPC;
if (offset <= builder->size)
spa_callbacks_call_res(&builder->callbacks,
struct spa_pod_builder_callbacks, res,
overflow, 0, offset + size);
}
if (res == 0 && data)
if (res == 0 && data) {
if (data_offset != (size_t) -1)
data = SPA_PTROFF(builder->data, data_offset, const void);
memcpy(SPA_PTROFF(builder->data, offset, void), data, size);
}
builder->state.offset += size;