mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix NULL dereference in PulseAudio handle_memblock

Browse source 
A client can send memblock data to a playback stream channel before
format negotiation completes and the stream buffer is allocated,
causing a NULL pointer dereference crash. Reject memblock data for
streams that are still being created (create_tag != SPA_ID_INVALID).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 16:12:49 +02:00
parent 808bcf39cd
commit a2de6c886e
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/modules/module-protocol-pulse/server.c
View file

@ -128,7 +128,8 @@ static int handle_memblock(struct client *client, struct message *msg)
client, channel, offset, flags, msg->length);
stream = pw_map_lookup(&client->streams, channel);
if (stream == NULL || stream->type == STREAM_TYPE_RECORD) {
if (stream == NULL || stream->type == STREAM_TYPE_RECORD ||
stream->create_tag != SPA_ID_INVALID) {
pw_log_info("client %p [%s]: received memblock for unknown channel %d",
client, client->name, channel);
goto finish;