security: fix integer truncation in combine-stream delay calculation

Memory Safety: Medium In update_delay(), the delay compensation size is computed as delay * sizeof(float) where delay is int64_t but size is uint32_t. When the delay value is very large, the multiplication result truncates to a small uint32_t value. This causes an undersized buffer allocation in resize_delay(), while compensate_samples retains the original large value. Subsequent use of compensate_samples could then write past the end of the buffer. A negative delay (possible if delay_samples overflows) would also produce a large unsigned size due to implicit conversion. Fix by clamping the delay to be non-negative and within the maximum delay buffer size before the multiplication, ensuring the size cannot truncate or wrap. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-28 06:46:42 -04:00 · 2026-04-23 18:01:10 +02:00 · 2026-04-23 18:01:10 +02:00 · 835ba5efd6
commit 835ba5efd6
parent 1d68d7f2e9
1 changed files with 4 additions and 0 deletions
--- a/src/modules/module-combine-stream.c
+++ b/src/modules/module-combine-stream.c
@ -586,6 +586,10 @@ static void update_delay(struct impl *impl)

 		if (s->delay_samples != INT64_MIN) {
 			int64_t delay = max_delay - s->delay_samples;
+			if (delay < 0)
+				delay = 0;
+			if (delay > (int64_t)(DELAYBUF_MAX_SIZE / sizeof(float)))
+				delay = DELAYBUF_MAX_SIZE / sizeof(float);
 			s->compensate_samples = delay;
 			size = delay * sizeof(float);
 		}