mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix integer overflow in port latency offset conversion

Browse source 
Client-supplied int64_t offset was multiplied by 1000 without overflow
check. Use spa_overflow_mul to detect and reject values that would
overflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 18:19:03 +02:00
parent 6a8c2469c5
commit 890c06117a
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-protocol-pulse/pulse-server.c
View file

@ -28,6 +28,7 @@
#include <spa/param/props.h> #include <spa/param/props.h>
#include <spa/utils/ringbuffer.h> #include <spa/utils/ringbuffer.h>
#include <spa/utils/json.h> #include <spa/utils/json.h>
#include <spa/utils/overflow.h>
#include <pipewire/pipewire.h> #include <pipewire/pipewire.h>
#include <pipewire/extensions/metadata.h> #include <pipewire/extensions/metadata.h>
@ -3177,7 +3178,8 @@ static int do_set_port_latency_offset(struct client *client, uint32_t command, u
if (port_name == NULL) if (port_name == NULL)
return -EINVAL; return -EINVAL;
value = offset * 1000; /* to nsec */ if (spa_overflow_mul(offset, (int64_t)1000, &value))
return -EINVAL;
if ((card = select_object(manager, &sel)) == NULL) if ((card = select_object(manager, &sel)) == NULL)
return -ENOENT; return -ENOENT;