mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: clamp channel count in PulseAudio volume control handler

Browse source 
Memory Safety: High

The stream_control_info() callback copied control->n_values floats
into stream->volume.values without checking bounds. The source allows
up to MAX_VALUES (256) entries but the destination volume array is
only CHANNELS_MAX (64) entries, so a stream with more than 64 channel
volumes would overflow the buffer. Clamp n_values to CHANNELS_MAX
before the copy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 11:24:30 +02:00
parent 88a3bf8aab
commit 6efaf12d00
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-protocol-pulse/pulse-server.c
View file

@ -1121,8 +1121,8 @@ static void stream_control_info(void *data, uint32_t id,
switch (id) {
case SPA_PROP_channelVolumes:
if (!stream->volume_set) {
stream->volume.channels = control->n_values;
memcpy(stream->volume.values, control->values, control->n_values * sizeof(float));
stream->volume.channels = SPA_MIN(control->n_values, CHANNELS_MAX);
memcpy(stream->volume.values, control->values, stream->volume.channels * sizeof(float));
pw_log_info("stream %p: volume changed %f", stream, stream->volume.values[0]);
}
break;