From b75ed93e51f6c04652e211998d74732975c16c42 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 3 Jul 2025 13:35:07 +0200
Subject: [PATCH] pod: improve spa_pod_from_data()

spa_pod_from_data() is now safe against integer overflow.
---
 spa/include/spa/pod/iter.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/spa/include/spa/pod/iter.h b/spa/include/spa/pod/iter.h
index 19ed9823a..f77f47e70 100644
--- a/spa/include/spa/pod/iter.h
+++ b/spa/include/spa/pod/iter.h
@@ -129,10 +129,14 @@ SPA_API_POD_ITER struct spa_pod_control *spa_pod_control_next(const struct spa_p
 SPA_API_POD_ITER void *spa_pod_from_data(void *data, size_t maxsize, off_t offset, size_t size)
 {
 	void *pod;
-	if (size < sizeof(struct spa_pod) || offset + size > maxsize)
+	if (offset < 0 || offset > (int64_t)UINT32_MAX)
+		return NULL;
+	if (size < sizeof(struct spa_pod) ||
+	    size > maxsize ||
+	    maxsize - size < (uint32_t)offset)
 		return NULL;
 	pod = SPA_PTROFF(data, offset, void);
-	if (SPA_POD_SIZE(pod) > size)
+	if (SPA_POD_BODY_SIZE(pod) > size - sizeof(struct spa_pod))
 		return NULL;
 	return pod;
 }