From d4a127801856893955ffd4b7c74b49c19f8c7b32 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 18:26:01 +0200 Subject: [PATCH] security: add missing create_tag checks in stream command handlers do_cork_stream, do_flush_trigger_prebuf_stream, and do_set_stream_name did not check whether the stream had completed format negotiation. Add create_tag guards matching the pattern in do_set_stream_buffer_attr. Co-Authored-By: Claude Opus 4.7 --- src/modules/module-protocol-pulse/pulse-server.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c index 657d52ad1..2c87f1e22 100644 --- a/src/modules/module-protocol-pulse/pulse-server.c +++ b/src/modules/module-protocol-pulse/pulse-server.c @@ -2707,6 +2707,8 @@ static int do_cork_stream(struct client *client, uint32_t command, uint32_t tag, stream = pw_map_lookup(&client->streams, channel); if (stream == NULL || stream->type == STREAM_TYPE_UPLOAD) return -ENOENT; + if (stream->create_tag != SPA_ID_INVALID) + return -ENOENT; stream_set_corked(stream, cork); if (cork) { @@ -2737,6 +2739,8 @@ static int do_flush_trigger_prebuf_stream(struct client *client, uint32_t comman stream = pw_map_lookup(&client->streams, channel); if (stream == NULL || stream->type == STREAM_TYPE_UPLOAD) return -ENOENT; + if (stream->create_tag != SPA_ID_INVALID) + return -ENOENT; switch (command) { case COMMAND_FLUSH_PLAYBACK_STREAM: @@ -3238,6 +3242,8 @@ static int do_set_stream_name(struct client *client, uint32_t command, uint32_t stream = pw_map_lookup(&client->streams, channel); if (stream == NULL || stream->type == STREAM_TYPE_UPLOAD) return -ENOENT; + if (stream->create_tag != SPA_ID_INVALID) + return -ENOENT; items[0] = SPA_DICT_ITEM_INIT(PW_KEY_MEDIA_NAME, name); pw_stream_update_properties(stream->stream,