From cd7bb1e37de63f9bf2c1387a31d94b91d37c2d05 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 29 Apr 2026 16:50:43 +0200
Subject: [PATCH] security: validate sample rate in PulseAudio
 update_stream_sample_rate

The client-provided rate was used without validation. A zero or
excessively large rate produces extreme correction values passed
to pw_stream_set_control. Reject rates that are zero or exceed
RATE_MAX.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/modules/module-protocol-pulse/pulse-server.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c
index b98bd13b1..a5b384121 100644
--- a/src/modules/module-protocol-pulse/pulse-server.c
+++ b/src/modules/module-protocol-pulse/pulse-server.c
@@ -4684,6 +4684,9 @@ static int do_update_stream_sample_rate(struct client *client, uint32_t command,
 	if (stream == NULL || stream->type == STREAM_TYPE_UPLOAD)
 		return -ENOENT;
 
+	if (rate == 0 || rate > RATE_MAX)
+		return -EINVAL;
+
 	stream->rate = rate;
 
 	corr = (float)rate/(float)stream->ss.rate;