From 808bcf39cdf22c79e281ef56d353ad334dedaf0c Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 29 Apr 2026 16:10:44 +0200
Subject: [PATCH] security: fix heap OOB read in PulseAudio sample cache
 playback

The sample cache upload buffer is allocated as MAXLENGTH (4MB) but
sample->length can be up to SCACHE_ENTRY_SIZE_MAX (16MB). During
playback, the read offset can exceed the buffer size, causing an
out-of-bounds heap read. Wrap the offset into the ring buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/modules/module-protocol-pulse/sample-play.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/modules/module-protocol-pulse/sample-play.c b/src/modules/module-protocol-pulse/sample-play.c
index 09b0e75cc..ff6b1e67f 100644
--- a/src/modules/module-protocol-pulse/sample-play.c
+++ b/src/modules/module-protocol-pulse/sample-play.c
@@ -100,7 +100,7 @@ static void sample_play_stream_process(void *data)
 	if (b->requested)
 		size = SPA_MIN(size, b->requested * p->stride);
 
-	memcpy(d, s->buffer + p->offset, size);
+	memcpy(d, s->buffer + (p->offset % MAXLENGTH), size);
 
 	p->offset += size;