mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-10-29 05:40:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pod: improve spa_pod_from_data()

Browse source 
spa_pod_from_data() is now safe against integer overflow.
This commit is contained in:
Wim Taymans 2025-07-03 13:35:07 +02:00
parent a0beb30ba8
commit b75ed93e51
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
spa/include/spa/pod/iter.h
View file

@ -129,10 +129,14 @@ SPA_API_POD_ITER struct spa_pod_control *spa_pod_control_next(const struct spa_p
SPA_API_POD_ITER void *spa_pod_from_data(void *data, size_t maxsize, off_t offset, size_t size) SPA_API_POD_ITER void *spa_pod_from_data(void *data, size_t maxsize, off_t offset, size_t size)
{ {
void *pod; void *pod;
if (size < sizeof(struct spa_pod) || offset + size > maxsize) if (offset < 0 || offset > (int64_t)UINT32_MAX)
return NULL;
if (size < sizeof(struct spa_pod) ||
size > maxsize ||
maxsize - size < (uint32_t)offset)
return NULL; return NULL;
pod = SPA_PTROFF(data, offset, void); pod = SPA_PTROFF(data, offset, void);
if (SPA_POD_SIZE(pod) > size) if (SPA_POD_BODY_SIZE(pod) > size - sizeof(struct spa_pod))
return NULL; return NULL;
return pod; return pod;
} }