mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix integer truncation in peer_name alloca size

Browse source 
Memory Safety: Medium

The strlen() return value (size_t) is stored in an int before being
passed to alloca(). If a malicious client sets an extremely long
PW_KEY_NODE_NAME property, the addition could overflow the int,
resulting in a small or negative alloca size and a subsequent buffer
overflow in snprintf().

Change the type to size_t and add a bounds check to prevent
excessively large stack allocations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 16:09:08 +02:00
parent d60ae4a1df
commit a9f1ad414e
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/modules/module-protocol-pulse/pulse-server.c
View file

@ -863,10 +863,12 @@ static void manager_added(void *data, struct pw_manager_object *o)
peer_name = "unknown";
if (peer_name && s->direction == PW_DIRECTION_INPUT &&
pw_manager_object_is_monitor(peer)) {
int len = strlen(peer_name) + 10;
char *tmp = alloca(len);
snprintf(tmp, len, "%s.monitor", peer_name);
peer_name = tmp;
size_t len = strlen(peer_name) + 10;
if (len <= 1024) {
char *tmp = alloca(len);
snprintf(tmp, len, "%s.monitor", peer_name);
peer_name = tmp;
}
}
if (peer_name != NULL)
stream_send_moved(s, peer->index, peer_name);