From 5d0e806bdbc513dc7a5ed2508d18312d072a9c24 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 30 Apr 2026 17:40:25 +0200
Subject: [PATCH] security: limit blocklist regex length in switch-on-connect
 module

A PulseAudio client can load this module with an arbitrarily complex
blocklist regex, causing catastrophic backtracking in regexec on
every new device. Cap the regex string at 1024 characters.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../module-protocol-pulse/modules/module-switch-on-connect.c   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/modules/module-protocol-pulse/modules/module-switch-on-connect.c b/src/modules/module-protocol-pulse/modules/module-switch-on-connect.c
index 33150d517..0af92c53a 100644
--- a/src/modules/module-protocol-pulse/modules/module-switch-on-connect.c
+++ b/src/modules/module-protocol-pulse/modules/module-switch-on-connect.c
@@ -271,6 +271,9 @@ static int module_switch_on_connect_prepare(struct module * const module)
 	if ((str = pw_properties_get(props, "blocklist")) == NULL)
 		str = DEFAULT_BLOCKLIST;
 
+	if (strlen(str) > 1024)
+		return -EINVAL;
+
 	if (regcomp(&d->blocklist, str, REG_NOSUB | REG_EXTENDED) != 0)
 		return -EINVAL;