mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2026-05-02 06:46:36 -04:00
security: fix integer overflow in port latency offset conversion
Client-supplied int64_t offset was multiplied by 1000 without overflow check. Use spa_overflow_mul to detect and reject values that would overflow. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans
parent
6a8c2469c5
commit
890c06117a
1 changed files with 3 additions and 1 deletions
|
|
@ -28,6 +28,7 @@
|
|||
#include <spa/param/props.h>
|
||||
#include <spa/utils/ringbuffer.h>
|
||||
#include <spa/utils/json.h>
|
||||
#include <spa/utils/overflow.h>
|
||||
|
||||
#include <pipewire/pipewire.h>
|
||||
#include <pipewire/extensions/metadata.h>
|
||||
|
|
@ -3177,7 +3178,8 @@ static int do_set_port_latency_offset(struct client *client, uint32_t command, u
|
|||
if (port_name == NULL)
|
||||
return -EINVAL;
|
||||
|
||||
value = offset * 1000; /* to nsec */
|
||||
if (spa_overflow_mul(offset, (int64_t)1000, &value))
|
||||
return -EINVAL;
|
||||
|
||||
if ((card = select_object(manager, &sel)) == NULL)
|
||||
return -ENOENT;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue