mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-05 07:15:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

websocket: fix some overflows

Browse source 
Fix some integer and buffer overflows as suggested by Sami Farin.
This commit is contained in:
Wim Taymans 2026-02-27 17:58:51 +01:00
parent dee2d5ee06
commit 9ad5ca2e5a
1 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/modules/module-sendspin/websocket.c
View file

@ -289,7 +289,7 @@ static int receive_websocket(struct pw_websocket_connection *conn,
/* header done */ /* header done */
conn->status = d[0] & 0xf; conn->status = d[0] & 0xf;
if (d[1] & 0x80) if (d[1] & 0x80)
header =+ 4; header += 4;
if ((d[1] & 0x7f) == 126) if ((d[1] & 0x7f) == 126)
header += 2; header += 2;
else if ((d[1] & 0x7f) == 127) else if ((d[1] & 0x7f) == 127)
@ -309,7 +309,9 @@ static int receive_websocket(struct pw_websocket_connection *conn,
header = 8; header = 8;
for (i = 0; i < header; i++) for (i = 0; i < header; i++)
payload_len = (payload_len << 8) | d[i + 2]; payload_len = (payload_len << 8) | d[i + 2];
need += payload_len; if (payload_len > (size_t)(INT_MAX - need))
return -EMSGSIZE;
need += (int)payload_len;
conn->data_state++; conn->data_state++;
} }
if (need == 0) { if (need == 0) {
@ -492,7 +494,7 @@ static int receive_http_reply(struct pw_websocket_connection *conn,
if (sscanf(l, "HTTP/%d.%d %n%d", &v1, &v2, &message, &status) != 3) if (sscanf(l, "HTTP/%d.%d %n%d", &v1, &v2, &message, &status) != 3)
return -EPROTO; return -EPROTO;
conn->status = status; conn->status = status;
strcpy(conn->message, &l[message]); snprintf(conn->message, sizeof(conn->message), "%s", &l[message]);
conn->content_length = 0; conn->content_length = 0;
conn->data_state++; conn->data_state++;
} }
@ -642,6 +644,8 @@ static int handle_input(struct pw_websocket_connection *conn)
current)) < 0) current)) < 0)
return res; return res;
if (conn->data_wanted > SIZE_MAX - res)
return -EOVERFLOW;
conn->data_wanted += res; conn->data_wanted += res;
} }
} }
@ -1012,8 +1016,13 @@ int pw_websocket_connection_send(struct pw_websocket_connection *conn, uint8_t o
uint8_t *d, *mask = NULL, maskbit = conn->maskbit; uint8_t *d, *mask = NULL, maskbit = conn->maskbit;
size_t payload_length = 0; size_t payload_length = 0;
for (i = 0; i < iov_len; i++) for (i = 0; i < iov_len; i++) {
if (payload_length > SIZE_MAX - iov[i].iov_len)
return -EOVERFLOW;
payload_length += iov[i].iov_len; payload_length += iov[i].iov_len;
}
if (payload_length > SIZE_MAX - sizeof(*msg) - 14)
return -EOVERFLOW;
if ((msg = calloc(1, sizeof(*msg) + 14 + payload_length)) == NULL) if ((msg = calloc(1, sizeof(*msg) + 14 + payload_length)) == NULL)
return -errno; return -errno;