From 99c150a6130ad1be6f1ce14f7fd0aabf435e43da Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 2 Dec 2022 10:58:13 +0100
Subject: [PATCH] stream: handle some invalid situations

Give an error when try to set more buffers than allowed.
Make sure we only queue buffers with a valid id.
---
 src/pipewire/stream.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/pipewire/stream.c b/src/pipewire/stream.c
index 808eb4747..c1ae0df23 100644
--- a/src/pipewire/stream.c
+++ b/src/pipewire/stream.c
@@ -324,7 +324,8 @@ static inline int queue_push(struct stream *stream, struct queue *queue, struct
 {
 	uint32_t index;
 
-	if (SPA_FLAG_IS_SET(buffer->flags, BUFFER_FLAG_QUEUED))
+	if (SPA_FLAG_IS_SET(buffer->flags, BUFFER_FLAG_QUEUED) ||
+	    buffer->id >= stream->n_buffers)
 		return -EINVAL;
 
 	SPA_FLAG_SET(buffer->flags, BUFFER_FLAG_QUEUED);
@@ -921,6 +922,9 @@ static int impl_port_use_buffers(void *object,
 	if (impl->disconnecting && n_buffers > 0)
 		return -EIO;
 
+	if (n_buffers > MAX_BUFFERS)
+		return -EINVAL;
+
 	prot = PROT_READ | (direction == SPA_DIRECTION_OUTPUT ? PROT_WRITE : 0);
 
 	clear_buffers(stream);
@@ -956,6 +960,7 @@ static int impl_port_use_buffers(void *object,
 		pw_log_debug("%p: got buffer id:%d datas:%d, mapped size %d", stream, i,
 				buffers[i]->n_datas, size);
 	}
+	impl->n_buffers = n_buffers;
 
 	for (i = 0; i < n_buffers; i++) {
 		struct buffer *b = &impl->buffers[i];
@@ -972,9 +977,6 @@ static int impl_port_use_buffers(void *object,
 
 		pw_stream_emit_add_buffer(stream, &b->this);
 	}
-
-	impl->n_buffers = n_buffers;
-
 	return 0;
 }