From 890c06117a5f93d7eff8df73953ff3769950baca Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 29 Apr 2026 18:19:03 +0200
Subject: [PATCH] security: fix integer overflow in port latency offset
 conversion

Client-supplied int64_t offset was multiplied by 1000 without overflow
check. Use spa_overflow_mul to detect and reject values that would
overflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/modules/module-protocol-pulse/pulse-server.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c
index 1973d3bec..aaafb5641 100644
--- a/src/modules/module-protocol-pulse/pulse-server.c
+++ b/src/modules/module-protocol-pulse/pulse-server.c
@@ -28,6 +28,7 @@
 #include <spa/param/props.h>
 #include <spa/utils/ringbuffer.h>
 #include <spa/utils/json.h>
+#include <spa/utils/overflow.h>
 
 #include <pipewire/pipewire.h>
 #include <pipewire/extensions/metadata.h>
@@ -3177,7 +3178,8 @@ static int do_set_port_latency_offset(struct client *client, uint32_t command, u
 	if (port_name == NULL)
 		return -EINVAL;
 
-	value = offset * 1000;  /* to nsec */
+	if (spa_overflow_mul(offset, (int64_t)1000, &value))
+		return -EINVAL;
 
 	if ((card = select_object(manager, &sel)) == NULL)
 		return -ENOENT;