mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-02 09:01:50 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

pod: do size check before calling type/size/data functions

Browse source 
Assume that all the functions that take a type/size/data from a pod have
at least the right number of bytes in the data for the given type.
Callers need to ensure this.

Fix the callers of such functions to always make sure they deref a pod
type/size/body into something of at least the min size of the type.
This commit is contained in:
Wim Taymans 2025-07-22 13:14:17 +02:00
parent 0a52f959ac
commit b904cb14a9
4 changed files with 63 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

40
spa/include/spa/debug/format.h
View file

@ -39,14 +39,10 @@ spa_debug_strbuf_format_value(struct spa_strbuf *buffer, const struct spa_type_i
switch (type) { switch (type) {
case SPA_TYPE_Bool: case SPA_TYPE_Bool:
if (size < sizeof(int32_t))
goto bad_body;
spa_strbuf_append(buffer, "%s", *(int32_t *) body ? "true" : "false"); spa_strbuf_append(buffer, "%s", *(int32_t *) body ? "true" : "false");
break; break;
case SPA_TYPE_Id: case SPA_TYPE_Id:
{ {
if (size < sizeof(uint32_t))
goto bad_body;
uint32_t value = *(uint32_t *) body; uint32_t value = *(uint32_t *) body;
const char *str = spa_debug_type_find_short_name(info, value); const char *str = spa_debug_type_find_short_name(info, value);
char tmp[64]; char tmp[64];
@ -58,42 +54,28 @@ spa_debug_strbuf_format_value(struct spa_strbuf *buffer, const struct spa_type_i
break; break;
} }
case SPA_TYPE_Int: case SPA_TYPE_Int:
if (size < sizeof(int32_t))
goto bad_body;
spa_strbuf_append(buffer, "%d", *(int32_t *) body); spa_strbuf_append(buffer, "%d", *(int32_t *) body);
break; break;
case SPA_TYPE_Long: case SPA_TYPE_Long:
if (size < sizeof(int64_t))
goto bad_body;
spa_strbuf_append(buffer, "%" PRIi64, *(int64_t *) body); spa_strbuf_append(buffer, "%" PRIi64, *(int64_t *) body);
break; break;
case SPA_TYPE_Float: case SPA_TYPE_Float:
if (size < sizeof(float))
goto bad_body;
spa_strbuf_append(buffer, "%f", *(float *) body); spa_strbuf_append(buffer, "%f", *(float *) body);
break; break;
case SPA_TYPE_Double: case SPA_TYPE_Double:
if (size < sizeof(double))
goto bad_body;
spa_strbuf_append(buffer, "%f", *(double *) body); spa_strbuf_append(buffer, "%f", *(double *) body);
break; break;
case SPA_TYPE_String: case SPA_TYPE_String:
if (size < 1 || ((const char *)body)[size - 1] != '\0') spa_strbuf_append(buffer, "%-*s", size, (char *) body);
goto bad_body;
spa_strbuf_append(buffer, "%s", (char *) body);
break; break;
case SPA_TYPE_Rectangle: case SPA_TYPE_Rectangle:
{ {
if (size < sizeof(struct spa_rectangle))
goto bad_body;
struct spa_rectangle *r = (struct spa_rectangle *)body; struct spa_rectangle *r = (struct spa_rectangle *)body;
spa_strbuf_append(buffer, "%" PRIu32 "x%" PRIu32, r->width, r->height); spa_strbuf_append(buffer, "%" PRIu32 "x%" PRIu32, r->width, r->height);
break; break;
} }
case SPA_TYPE_Fraction: case SPA_TYPE_Fraction:
{ {
if (size < sizeof(struct spa_fraction))
goto bad_body;
struct spa_fraction *f = (struct spa_fraction *)body; struct spa_fraction *f = (struct spa_fraction *)body;
spa_strbuf_append(buffer, "%" PRIu32 "/%" PRIu32, f->num, f->denom); spa_strbuf_append(buffer, "%" PRIu32 "/%" PRIu32, f->num, f->denom);
break; break;
@ -109,14 +91,14 @@ spa_debug_strbuf_format_value(struct spa_strbuf *buffer, const struct spa_type_i
void *p; void *p;
struct spa_pod_array_body *b = (struct spa_pod_array_body *)body; struct spa_pod_array_body *b = (struct spa_pod_array_body *)body;
int i = 0; int i = 0;
if (size < sizeof(*b))
goto bad_body;
info = info && info->values ? info->values : info; info = info && info->values ? info->values : info;
spa_strbuf_append(buffer, "< "); spa_strbuf_append(buffer, "< ");
SPA_POD_ARRAY_BODY_FOREACH(b, size, p) { if (b->child.size >= spa_pod_type_size(b->child.type)) {
if (i++ > 0) SPA_POD_ARRAY_BODY_FOREACH(b, size, p) {
spa_strbuf_append(buffer, ", "); if (i++ > 0)
spa_debug_strbuf_format_value(buffer, info, b->child.type, p, b->child.size); spa_strbuf_append(buffer, ", ");
spa_debug_strbuf_format_value(buffer, info, b->child.type, p, b->child.size);
}
} }
spa_strbuf_append(buffer, " >"); spa_strbuf_append(buffer, " >");
break; break;
@ -126,9 +108,6 @@ spa_debug_strbuf_format_value(struct spa_strbuf *buffer, const struct spa_type_i
break; break;
} }
return 0; return 0;
bad_body:
spa_strbuf_append(buffer, "INVALID BODY type %d", type);
return 0;
} }
SPA_API_DEBUG_FORMAT int SPA_API_DEBUG_FORMAT int
@ -184,11 +163,12 @@ SPA_API_DEBUG_FORMAT int spa_debugc_format(struct spa_debug_context *ctx, int in
type = val->type; type = val->type;
size = val->size; size = val->size;
vals = SPA_POD_BODY(val);
if (type < SPA_TYPE_None || type >= _SPA_TYPE_LAST || n_vals < 1) if (type < SPA_TYPE_None || type >= _SPA_TYPE_LAST || n_vals < 1 ||
size < spa_pod_type_size(type))
continue; continue;
vals = SPA_POD_BODY(val);
ti = spa_debug_type_find(info, prop->key); ti = spa_debug_type_find(info, prop->key);
key = ti ? ti->name : NULL; key = ti ? ti->name : NULL;

59
spa/include/spa/debug/pod.h
View file

@ -87,13 +87,18 @@ spa_debugc_pod_value(struct spa_debug_context *ctx, int indent, const struct spa
struct spa_pod_array_body *b = (struct spa_pod_array_body *)body; struct spa_pod_array_body *b = (struct spa_pod_array_body *)body;
void *p; void *p;
const struct spa_type_info *ti = spa_debug_type_find(SPA_TYPE_ROOT, b->child.type); const struct spa_type_info *ti = spa_debug_type_find(SPA_TYPE_ROOT, b->child.type);
uint32_t min_size = spa_pod_type_size(b->child.type);
spa_debugc(ctx, "%*s" "Array: child.size %" PRIu32 ", child.type %s", indent, "", spa_debugc(ctx, "%*s" "Array: child.size %" PRIu32 ", child.type %s", indent, "",
b->child.size, ti ? ti->name : "unknown"); b->child.size, ti ? ti->name : "unknown");
info = info && info->values ? info->values : info; if (b->child.size < min_size) {
SPA_POD_ARRAY_BODY_FOREACH(b, size, p) spa_debugc(ctx, "%*s" " INVALID child.size < %" PRIu32, indent, "", min_size);
spa_debugc_pod_value(ctx, indent + 2, info, b->child.type, p, b->child.size); } else {
info = info && info->values ? info->values : info;
SPA_POD_ARRAY_BODY_FOREACH(b, size, p)
spa_debugc_pod_value(ctx, indent + 2, info, b->child.type, p, b->child.size);
}
break; break;
} }
case SPA_TYPE_Choice: case SPA_TYPE_Choice:
@ -101,20 +106,31 @@ spa_debugc_pod_value(struct spa_debug_context *ctx, int indent, const struct spa
struct spa_pod_choice_body *b = (struct spa_pod_choice_body *)body; struct spa_pod_choice_body *b = (struct spa_pod_choice_body *)body;
void *p; void *p;
const struct spa_type_info *ti = spa_debug_type_find(spa_type_choice, b->type); const struct spa_type_info *ti = spa_debug_type_find(spa_type_choice, b->type);
uint32_t min_size = spa_pod_type_size(b->child.type);
spa_debugc(ctx, "%*s" "Choice: type %s, flags %08" PRIx32 " %" PRIu32 " %" PRIu32, indent, "", spa_debugc(ctx, "%*s" "Choice: type %s, flags %08" PRIx32 " %" PRIu32 " %" PRIu32, indent, "",
ti ? ti->name : "unknown", b->flags, size, b->child.size); ti ? ti->name : "unknown", b->flags, size, b->child.size);
SPA_POD_CHOICE_BODY_FOREACH(b, size, p) if (b->child.size < min_size) {
spa_debugc_pod_value(ctx, indent + 2, info, b->child.type, p, b->child.size); spa_debugc(ctx, "%*s" "INVALID child.size < %" PRIu32, indent, "", min_size);
} else {
SPA_POD_CHOICE_BODY_FOREACH(b, size, p)
spa_debugc_pod_value(ctx, indent + 2, info, b->child.type, p, b->child.size);
}
break; break;
} }
case SPA_TYPE_Struct: case SPA_TYPE_Struct:
{ {
struct spa_pod *b = (struct spa_pod *)body, *p; struct spa_pod *b = (struct spa_pod *)body, *p;
spa_debugc(ctx, "%*s" "Struct: size %" PRIu32, indent, "", size); spa_debugc(ctx, "%*s" "Struct: size %" PRIu32, indent, "", size);
SPA_POD_FOREACH(b, size, p) SPA_POD_FOREACH(b, size, p) {
spa_debugc_pod_value(ctx, indent + 2, info, p->type, SPA_POD_BODY(p), p->size); uint32_t min_size = spa_pod_type_size(p->type);
if (p->size < min_size) {
spa_debugc(ctx, "%*s" "INVALID child.size < %" PRIu32, indent, "", min_size);
} else {
spa_debugc_pod_value(ctx, indent + 2, info, p->type, SPA_POD_BODY(p), p->size);
}
}
break; break;
} }
case SPA_TYPE_Object: case SPA_TYPE_Object:
@ -136,6 +152,7 @@ spa_debugc_pod_value(struct spa_debug_context *ctx, int indent, const struct spa
static const char custom_prefix[] = SPA_TYPE_INFO_PROPS_BASE "Custom:"; static const char custom_prefix[] = SPA_TYPE_INFO_PROPS_BASE "Custom:";
char custom_name[sizeof(custom_prefix) + 16]; char custom_name[sizeof(custom_prefix) + 16];
const char *name = "unknown"; const char *name = "unknown";
uint32_t min_size = spa_pod_type_size(p->value.type);
ii = spa_debug_type_find(info, p->key); ii = spa_debug_type_find(info, p->key);
if (ii) { if (ii) {
@ -149,10 +166,14 @@ spa_debugc_pod_value(struct spa_debug_context *ctx, int indent, const struct spa
spa_debugc(ctx, "%*s" "Prop: key %s (%" PRIu32 "), flags %08" PRIx32, spa_debugc(ctx, "%*s" "Prop: key %s (%" PRIu32 "), flags %08" PRIx32,
indent+2, "", name, p->key, p->flags); indent+2, "", name, p->key, p->flags);
spa_debugc_pod_value(ctx, indent + 4, ii ? ii->values : NULL, if (p->value.size < min_size) {
p->value.type, spa_debugc(ctx, "%*s" "INVALID value.size < %" PRIu32, indent, "", min_size);
SPA_POD_CONTENTS(struct spa_pod_prop, p), } else {
p->value.size); spa_debugc_pod_value(ctx, indent + 4, ii ? ii->values : NULL,
p->value.type,
SPA_POD_CONTENTS(struct spa_pod_prop, p),
p->value.size);
}
} }
break; break;
} }
@ -168,15 +189,21 @@ spa_debugc_pod_value(struct spa_debug_context *ctx, int indent, const struct spa
ti ? ti->name : "unknown"); ti ? ti->name : "unknown");
SPA_POD_SEQUENCE_BODY_FOREACH(b, size, c) { SPA_POD_SEQUENCE_BODY_FOREACH(b, size, c) {
uint32_t min_size = spa_pod_type_size(c->value.type);
ii = spa_debug_type_find(spa_type_control, c->type); ii = spa_debug_type_find(spa_type_control, c->type);
spa_debugc(ctx, "%*s" "Control: offset %" PRIu32 ", type %s", indent+2, "", spa_debugc(ctx, "%*s" "Control: offset %" PRIu32 ", type %s", indent+2, "",
c->offset, ii ? ii->name : "unknown"); c->offset, ii ? ii->name : "unknown");
spa_debugc_pod_value(ctx, indent + 4, ii ? ii->values : NULL, if (c->value.size < min_size) {
c->value.type, spa_debugc(ctx, "%*s" "INVALID value.size < %" PRIu32, indent, "", min_size);
SPA_POD_CONTENTS(struct spa_pod_control, c), } else {
c->value.size); spa_debugc_pod_value(ctx, indent + 4, ii ? ii->values : NULL,
c->value.type,
SPA_POD_CONTENTS(struct spa_pod_control, c),
c->value.size);
}
} }
break; break;
} }
@ -198,6 +225,8 @@ spa_debugc_pod_value(struct spa_debug_context *ctx, int indent, const struct spa
SPA_API_DEBUG_POD int spa_debugc_pod(struct spa_debug_context *ctx, int indent, SPA_API_DEBUG_POD int spa_debugc_pod(struct spa_debug_context *ctx, int indent,
const struct spa_type_info *info, const struct spa_pod *pod) const struct spa_type_info *info, const struct spa_pod *pod)
{ {
if (pod->size < spa_pod_type_size(pod->type))
return -EINVAL;
return spa_debugc_pod_value(ctx, indent, info ? info : SPA_TYPE_ROOT, return spa_debugc_pod_value(ctx, indent, info ? info : SPA_TYPE_ROOT,
pod->type, SPA_POD_BODY(pod), pod->size); pod->type, SPA_POD_BODY(pod), pod->size);
} }

24
spa/include/spa/pod/compare.h
View file

@ -39,41 +39,23 @@ SPA_API_POD_COMPARE int spa_pod_compare_value(uint32_t type, const void *r1, con
case SPA_TYPE_None: case SPA_TYPE_None:
return 0; return 0;
case SPA_TYPE_Bool: case SPA_TYPE_Bool:
if (size < sizeof(int32_t))
return -EINVAL;
return SPA_CMP(!!*(int32_t *)r1, !!*(int32_t *)r2); return SPA_CMP(!!*(int32_t *)r1, !!*(int32_t *)r2);
case SPA_TYPE_Id: case SPA_TYPE_Id:
if (size < sizeof(uint32_t))
return -EINVAL;
return SPA_CMP(*(uint32_t *)r1, *(uint32_t *)r2); return SPA_CMP(*(uint32_t *)r1, *(uint32_t *)r2);
case SPA_TYPE_Int: case SPA_TYPE_Int:
if (size < sizeof(int32_t))
return -EINVAL;
return SPA_CMP(*(int32_t *)r1, *(int32_t *)r2); return SPA_CMP(*(int32_t *)r1, *(int32_t *)r2);
case SPA_TYPE_Long: case SPA_TYPE_Long:
if (size < sizeof(int64_t))
return -EINVAL;
return SPA_CMP(*(int64_t *)r1, *(int64_t *)r2); return SPA_CMP(*(int64_t *)r1, *(int64_t *)r2);
case SPA_TYPE_Float: case SPA_TYPE_Float:
if (size < sizeof(float))
return -EINVAL;
return SPA_CMP(*(float *)r1, *(float *)r2); return SPA_CMP(*(float *)r1, *(float *)r2);
case SPA_TYPE_Double: case SPA_TYPE_Double:
if (size < sizeof(double))
return -EINVAL;
return SPA_CMP(*(double *)r1, *(double *)r2); return SPA_CMP(*(double *)r1, *(double *)r2);
case SPA_TYPE_String: case SPA_TYPE_String:
if (size < sizeof(char) || return strncmp((char *)r1, (char *)r2, size);
((char *)r1)[size - 1] ||
((char *)r2)[size - 1])
return -EINVAL;
return strcmp((char *)r1, (char *)r2);
case SPA_TYPE_Rectangle: case SPA_TYPE_Rectangle:
{ {
const struct spa_rectangle *rec1 = (struct spa_rectangle *) r1, const struct spa_rectangle *rec1 = (struct spa_rectangle *) r1,
*rec2 = (struct spa_rectangle *) r2; *rec2 = (struct spa_rectangle *) r2;
if (size < sizeof(struct spa_rectangle))
return -EINVAL;
if (rec1->width == rec2->width && rec1->height == rec2->height) if (rec1->width == rec2->width && rec1->height == rec2->height)
return 0; return 0;
else if (rec1->width < rec2->width || rec1->height < rec2->height) else if (rec1->width < rec2->width || rec1->height < rec2->height)
@ -86,8 +68,6 @@ SPA_API_POD_COMPARE int spa_pod_compare_value(uint32_t type, const void *r1, con
const struct spa_fraction *f1 = (struct spa_fraction *) r1, const struct spa_fraction *f1 = (struct spa_fraction *) r1,
*f2 = (struct spa_fraction *) r2; *f2 = (struct spa_fraction *) r2;
uint64_t n1, n2; uint64_t n1, n2;
if (size < sizeof(struct spa_fraction))
return -EINVAL;
n1 = ((uint64_t) f1->num) * f2->denom; n1 = ((uint64_t) f1->num) * f2->denom;
n2 = ((uint64_t) f2->num) * f1->denom; n2 = ((uint64_t) f2->num) * f1->denom;
return SPA_CMP(n1, n2); return SPA_CMP(n1, n2);
@ -176,6 +156,8 @@ SPA_API_POD_COMPARE int spa_pod_compare(const struct spa_pod *pod1,
default: default:
if (pod1->size != pod2->size) if (pod1->size != pod2->size)
return -EINVAL; return -EINVAL;
if (pod1->size < spa_pod_type_size(pod1->type))
return -EINVAL;
res = spa_pod_compare_value(pod1->type, res = spa_pod_compare_value(pod1->type,
SPA_POD_BODY(pod1), SPA_POD_BODY(pod2), SPA_POD_BODY(pod1), SPA_POD_BODY(pod2),
pod1->size); pod1->size);

6
spa/include/spa/pod/filter.h
View file

@ -95,6 +95,8 @@ spa_pod_filter_prop(struct spa_pod_builder *b,
/* incompatible property types */ /* incompatible property types */
if (type != v2->type || size != v2->size || p1->key != p2->key) if (type != v2->type || size != v2->size || p1->key != p2->key)
return -EINVAL; return -EINVAL;
if (size < spa_pod_type_size(type))
return -EINVAL;
/* start with copying the property */ /* start with copying the property */
spa_pod_builder_prop(b, p1->key, p1->flags & p2->flags); spa_pod_builder_prop(b, p1->key, p1->flags & p2->flags);
@ -402,6 +404,10 @@ SPA_API_POD_FILTER int spa_pod_filter_object_make(struct spa_pod_object *pod)
uint32_t nvals, choice; uint32_t nvals, choice;
struct spa_pod *v = spa_pod_get_values(&res->value, &nvals, &choice); struct spa_pod *v = spa_pod_get_values(&res->value, &nvals, &choice);
const void *vals = SPA_POD_BODY(v); const void *vals = SPA_POD_BODY(v);
if (v->size < spa_pod_type_size(v->type))
continue;
if (spa_pod_compare_is_valid_choice(v->type, v->size, if (spa_pod_compare_is_valid_choice(v->type, v->size,
vals, vals, nvals, choice)) { vals, vals, nvals, choice)) {
((struct spa_pod_choice*)&res->value)->body.type = SPA_CHOICE_None; ((struct spa_pod_choice*)&res->value)->body.type = SPA_CHOICE_None;