mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2026-04-25 06:46:40 -04:00
security: fix integer overflow in PulseAudio message buffer allocation
Memory Safety: High In ensure_size(), the check `m->length + size <= m->allocated` could overflow when both m->length and size are large uint32_t values, wrapping around to a small number and incorrectly passing the bounds check. This could allow writing past the end of the allocated buffer. Rewrite the check as `size <= m->allocated - m->length` which cannot overflow since we already verified m->length <= m->allocated. Also add an explicit overflow check for the new allocation size calculation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans
parent
05bcfa7a2a
commit
8d352fe52e
1 changed files with 4 additions and 1 deletions
|
|
@ -383,9 +383,12 @@ static int ensure_size(struct message *m, uint32_t size)
|
|||
if (m->length > m->allocated)
|
||||
return -ENOMEM;
|
||||
|
||||
if (m->length + size <= m->allocated)
|
||||
if (size <= m->allocated - m->length)
|
||||
return size;
|
||||
|
||||
if (m->allocated + size < m->allocated)
|
||||
return -ENOMEM;
|
||||
|
||||
alloc = SPA_ROUND_UP_N(SPA_MAX(m->allocated + size, 4096u), 4096u);
|
||||
diff = alloc - m->allocated;
|
||||
if ((data = realloc(m->data, alloc)) == NULL) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue