mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix stack buffer overflow in PulseAudio channel map parsing

Browse source 
format_info_to_spec parses the format.channel_map property without
checking against CHANNELS_MAX (64) before writing to map->map[].
A client supplying more than 64 channel names overflows the stack-
allocated channel_map buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 15:49:50 +02:00
parent 0c4a0dcf7d
commit d23ec56f0d
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/modules/module-protocol-pulse/format.c
View file

@ -879,6 +879,8 @@ int format_info_to_spec(const struct format_info *info, struct sample_spec *ss,
return -EINVAL; return -EINVAL;
while ((*str == '\"' || *str == ',') && while ((*str == '\"' || *str == ',') &&
(len = strcspn(++str, "\",")) > 0) { (len = strcspn(++str, "\",")) > 0) {
if (map->channels >= CHANNELS_MAX)
return -EINVAL;
map->map[map->channels++] = channel_paname2id(str, len); map->map[map->channels++] = channel_paname2id(str, len);
str += len; str += len;
} }