mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-28 06:46:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

module-avb: bound descriptor size in READ_DESCRIPTOR reply to prevent stack overflow

Browse source
This commit is contained in:
hackerman-kl 2026-04-22 19:19:10 +02:00
parent a8832c74d0
commit 6ca2f509e3
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/modules/module-avb/aecp-aem.c
View file

@ -100,11 +100,17 @@ static int handle_read_descriptor_common(struct aecp *aecp, int64_t now, const v
if (desc == NULL)
return reply_status(aecp, AVB_AECP_AEM_STATUS_NO_SUCH_DESCRIPTOR, m, len);
memcpy(buf, m, len);
if (len < 0 || (size_t)len > sizeof(buf))
return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS, m, len);
psize = sizeof(*rd);
size = sizeof(*h) + sizeof(*reply) + psize;
if (desc->size > sizeof(buf) || size > sizeof(buf) - desc->size)
return reply_status(aecp, AVB_AECP_AEM_STATUS_NO_RESOURCES, m, len);
memcpy(buf, m, len);
memcpy(buf + size, desc->ptr, desc->size);
size += desc->size;
psize += desc->size;