From 6a8c2469c59ff68b1347a8883311c446818d16f8 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 18:16:52 +0200 Subject: [PATCH] security: fix create_tag check to allow upload stream memblocks The create_tag guard added in a2de6c886 also rejected memblocks for upload streams, which never clear create_tag. Upload streams allocate their buffer immediately, so the NULL deref risk does not apply to them. Exempt STREAM_TYPE_UPLOAD from the check. Co-Authored-By: Claude Opus 4.7 --- src/modules/module-protocol-pulse/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/module-protocol-pulse/server.c b/src/modules/module-protocol-pulse/server.c index 1f04532e2..1169c15c1 100644 --- a/src/modules/module-protocol-pulse/server.c +++ b/src/modules/module-protocol-pulse/server.c @@ -128,7 +128,7 @@ static int handle_memblock(struct client *client, struct message *msg) stream = pw_map_lookup(&client->streams, channel); if (stream == NULL || stream->type == STREAM_TYPE_RECORD || - stream->create_tag != SPA_ID_INVALID) { + (stream->type != STREAM_TYPE_UPLOAD && stream->create_tag != SPA_ID_INVALID)) { pw_log_info("client %p [%s]: received memblock for unknown channel %d", client, client->name, channel); goto finish;