mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-25 06:46:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix integer overflow in PulseAudio message buffer allocation

Browse source 
Memory Safety: High

In ensure_size(), the check `m->length + size <= m->allocated` could
overflow when both m->length and size are large uint32_t values,
wrapping around to a small number and incorrectly passing the bounds
check. This could allow writing past the end of the allocated buffer.

Rewrite the check as `size <= m->allocated - m->length` which cannot
overflow since we already verified m->length <= m->allocated. Also add
an explicit overflow check for the new allocation size calculation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 17:15:22 +02:00
parent 05bcfa7a2a
commit 8d352fe52e
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/modules/module-protocol-pulse/message.c
View file

@ -383,9 +383,12 @@ static int ensure_size(struct message *m, uint32_t size)
if (m->length > m->allocated) if (m->length > m->allocated)
return -ENOMEM; return -ENOMEM;
if (m->length + size <= m->allocated) if (size <= m->allocated - m->length)
return size; return size;
if (m->allocated + size < m->allocated)
return -ENOMEM;
alloc = SPA_ROUND_UP_N(SPA_MAX(m->allocated + size, 4096u), 4096u); alloc = SPA_ROUND_UP_N(SPA_MAX(m->allocated + size, 4096u), 4096u);
diff = alloc - m->allocated; diff = alloc - m->allocated;
if ((data = realloc(m->data, alloc)) == NULL) { if ((data = realloc(m->data, alloc)) == NULL) {