mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix heap OOB read in PulseAudio sample cache playback

Browse source 
The sample cache upload buffer is allocated as MAXLENGTH (4MB) but
sample->length can be up to SCACHE_ENTRY_SIZE_MAX (16MB). During
playback, the read offset can exceed the buffer size, causing an
out-of-bounds heap read. Wrap the offset into the ring buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 16:10:44 +02:00
parent c1f6cde926
commit 808bcf39cd
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/modules/module-protocol-pulse/sample-play.c
View file

@ -100,7 +100,7 @@ static void sample_play_stream_process(void *data)
if (b->requested)
size = SPA_MIN(size, b->requested * p->stride);
memcpy(d, s->buffer + p->offset, size);
memcpy(d, s->buffer + (p->offset % MAXLENGTH), size);
p->offset += size;