From adb3a55703447f85e1d27f522213761b2ef6beea Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 9 Jul 2025 14:25:32 -0400
Subject: [PATCH] protocl-native: v0: Fix integer overflow to buffer overflow

Too many dict items could cause an integer overflow leading to a
stack-based buffer overflow.
---
 src/modules/module-protocol-native/connection.h         | 4 ++++
 src/modules/module-protocol-native/protocol-native.c    | 4 ----
 src/modules/module-protocol-native/v0/protocol-native.c | 8 ++++++++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/modules/module-protocol-native/connection.h b/src/modules/module-protocol-native/connection.h
index 0d3b4fba2..bc9bb530d 100644
--- a/src/modules/module-protocol-native/connection.h
+++ b/src/modules/module-protocol-native/connection.h
@@ -10,6 +10,10 @@
 
 #include <pipewire/extensions/protocol-native.h>
 
+#define MAX_DICT	1024
+#define MAX_PARAM_INFO	128
+#define MAX_PERMISSIONS	4096
+
 #ifdef __cplusplus
 extern "C" {
 #endif
diff --git a/src/modules/module-protocol-native/protocol-native.c b/src/modules/module-protocol-native/protocol-native.c
index 03f4c8a7e..3a7a1a179 100644
--- a/src/modules/module-protocol-native/protocol-native.c
+++ b/src/modules/module-protocol-native/protocol-native.c
@@ -15,10 +15,6 @@
 
 #include "connection.h"
 
-#define MAX_DICT	1024
-#define MAX_PARAM_INFO	128
-#define MAX_PERMISSIONS	4096
-
 PW_LOG_TOPIC_EXTERN(mod_topic);
 #define PW_LOG_TOPIC_DEFAULT mod_topic
 
diff --git a/src/modules/module-protocol-native/v0/protocol-native.c b/src/modules/module-protocol-native/v0/protocol-native.c
index 04ad349be..c50d01d55 100644
--- a/src/modules/module-protocol-native/v0/protocol-native.c
+++ b/src/modules/module-protocol-native/v0/protocol-native.c
@@ -173,6 +173,8 @@ static int core_demarshal_client_update(void *object, const struct pw_protocol_n
 		    "i", &props.n_items, NULL) < 0)
 		return -EINVAL;
 
+	if (props.n_items > MAX_DICT)
+		return -ENOSPC;
 	props.items = alloca(props.n_items * sizeof(struct spa_dict_item));
 	for (i = 0; i < props.n_items; i++) {
 		if (spa_pod_parser_get(&prs,
@@ -219,6 +221,8 @@ static int core_demarshal_permissions(void *object, const struct pw_protocol_nat
 	    spa_pod_parser_get(&prs, "i", &props.n_items, NULL) < 0)
 		return -EINVAL;
 
+	if (props.n_items > MAX_DICT)
+		return -ENOSPC;
 	props.items = alloca(props.n_items * sizeof(struct spa_dict_item));
 
 	n_permissions = 0;
@@ -698,6 +702,8 @@ static int core_demarshal_create_object(void *object, const struct pw_protocol_n
 			"i", &props.n_items, NULL) < 0)
 		return -EINVAL;
 
+	if (props.n_items > MAX_DICT)
+		return -ENOSPC;
 	props.items = alloca(props.n_items * sizeof(struct spa_dict_item));
 	for (i = 0; i < props.n_items; i++) {
 		if (spa_pod_parser_get(&prs,
@@ -764,6 +770,8 @@ static int core_demarshal_update_types_server(void *object, const struct pw_prot
 	if (first_id == 0)
 		compat_v2->send_types = true;
 
+	if (n_types > MAX_DICT)
+		return -ENOSPC;
 	types = alloca(n_types * sizeof(char *));
 	for (i = 0; i < n_types; i++) {
 		if (spa_pod_parser_get(&prs, "s", &types[i], NULL) < 0)