From a6155387da106b60b63eb5ee37d138d0fd89a63e Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 24 Apr 2026 14:12:50 +0200 Subject: [PATCH] security: fix unchecked alloca in pulse-server property list handling Memory Safety: Medium Two alloca() calls in the PulseAudio protocol server were missed by the previous alloca bounds-checking fix (commit 0d2877c0d): 1. fill_node_info_proplist() adds n_items counts from node properties and client properties without checking the total before alloca(). A client with a very large number of properties can exhaust the stack. 2. fill_card_info() uses pi->n_props from port info for an alloca() without bounds checking. A card object with many port properties can similarly exhaust the stack. Add MAX_ALLOCA_SIZE checks consistent with the existing pattern to prevent stack overflow from large property counts. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-protocol-pulse/pulse-server.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c index f6839af5c..95fb2b7aa 100644 --- a/src/modules/module-protocol-pulse/pulse-server.c +++ b/src/modules/module-protocol-pulse/pulse-server.c @@ -3646,7 +3646,8 @@ static int fill_card_info(struct client *client, struct message *m, pi = &port_info[n]; - if (pi->info && pi->n_props > 0) { + if (pi->info && pi->n_props > 0 && + pi->n_props <= MAX_ALLOCA_SIZE / sizeof(*items)) { items = alloca(pi->n_props * sizeof(*items)); dict.items = items; pdict = collect_props(pi->info, &dict); @@ -4100,6 +4101,9 @@ static int fill_node_info_proplist(struct message *m, const struct spa_dict *nod n_items += client_props->n_items; } + if (n_items > MAX_ALLOCA_SIZE / sizeof(struct spa_dict_item)) + return -ENOMEM; + dict.n_items = n = 0; dict.items = items = alloca(n_items * sizeof(struct spa_dict_item));