protocl-native: v0: Fix integer overflow to buffer overflow

Too many dict items could cause an integer overflow leading to a stack-based buffer overflow.
2025-11-03 09:01:54 -05:00 · 2025-07-09 14:25:32 -04:00 · 2025-07-09 14:25:32 -04:00 · adb3a55703
commit adb3a55703
parent 9a66938283
3 changed files with 12 additions and 4 deletions
--- a/src/modules/module-protocol-native/connection.h
+++ b/src/modules/module-protocol-native/connection.h
@ -10,6 +10,10 @@

 #include <pipewire/extensions/protocol-native.h>

+#define MAX_DICT	1024
+#define MAX_PARAM_INFO	128
+#define MAX_PERMISSIONS	4096
+
 #ifdef __cplusplus
 extern "C" {
 #endif
--- a/src/modules/module-protocol-native/protocol-native.c
+++ b/src/modules/module-protocol-native/protocol-native.c
@ -15,10 +15,6 @@

 #include "connection.h"

-#define MAX_DICT	1024
-#define MAX_PARAM_INFO	128
-#define MAX_PERMISSIONS	4096
-
 PW_LOG_TOPIC_EXTERN(mod_topic);
 #define PW_LOG_TOPIC_DEFAULT mod_topic

--- a/src/modules/module-protocol-native/v0/protocol-native.c
+++ b/src/modules/module-protocol-native/v0/protocol-native.c
@ -173,6 +173,8 @@ static int core_demarshal_client_update(void *object, const struct pw_protocol_n
 		    "i", &props.n_items, NULL) < 0)
 		return -EINVAL;

+	if (props.n_items > MAX_DICT)
+		return -ENOSPC;
 	props.items = alloca(props.n_items * sizeof(struct spa_dict_item));
 	for (i = 0; i < props.n_items; i++) {
 		if (spa_pod_parser_get(&prs,
@ -219,6 +221,8 @@ static int core_demarshal_permissions(void *object, const struct pw_protocol_nat
 	    spa_pod_parser_get(&prs, "i", &props.n_items, NULL) < 0)
 		return -EINVAL;

+	if (props.n_items > MAX_DICT)
+		return -ENOSPC;
 	props.items = alloca(props.n_items * sizeof(struct spa_dict_item));

 	n_permissions = 0;
@ -698,6 +702,8 @@ static int core_demarshal_create_object(void *object, const struct pw_protocol_n
 			"i", &props.n_items, NULL) < 0)
 		return -EINVAL;

+	if (props.n_items > MAX_DICT)
+		return -ENOSPC;
 	props.items = alloca(props.n_items * sizeof(struct spa_dict_item));
 	for (i = 0; i < props.n_items; i++) {
 		if (spa_pod_parser_get(&prs,
@ -764,6 +770,8 @@ static int core_demarshal_update_types_server(void *object, const struct pw_prot
 	if (first_id == 0)
 		compat_v2->send_types = true;

+	if (n_types > MAX_DICT)
+		return -ENOSPC;
 	types = alloca(n_types * sizeof(char *));
 	for (i = 0; i < n_types; i++) {
 		if (spa_pod_parser_get(&prs, "s", &types[i], NULL) < 0)