mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2026-05-04 06:46:24 -04:00
pod: add barrier around memcpy
We need to be sure that the compiler does not perform invented loads after we checked the pod size. Otherwise we could have found that the size was ok, only to be overwritten by an invalid size. One way of avoiding this is to surround the memcpy with a barrier. See #4822
This commit is contained in:
Wim Taymans
parent
6d07eaea1f
commit
abcf70538d
2 changed files with 7 additions and 0 deletions
|
|
@ -90,7 +90,12 @@ spa_pod_parser_read_header(struct spa_pod_parser *parser, uint32_t offset, uint3
|
|||
/* Cast to uint64_t to avoid wraparound. */
|
||||
const uint64_t long_offset = (uint64_t)offset + header_size;
|
||||
if (long_offset <= size && (offset & 7) == 0) {
|
||||
/* a barrier around the memcpy to make sure it is not moved around or
|
||||
* duplicated after the size check below. We need to to work on shared
|
||||
* memory while there could be updates happening while we read. */
|
||||
SPA_BARRIER;
|
||||
memcpy(header, SPA_PTROFF(parser->data, offset, void), header_size);
|
||||
SPA_BARRIER;
|
||||
struct spa_pod *pod = SPA_PTROFF(header, pod_offset, struct spa_pod);
|
||||
/* Check that the size (rounded to the next multiple of 8) is in bounds. */
|
||||
if (long_offset + SPA_ROUND_UP_N((uint64_t)pod->size, SPA_POD_ALIGN) <= size) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue