mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-02 06:46:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: bound alloca size for udev property strings

Browse source 
Memory Safety: Low

The udev device enumeration code uses alloca(strlen(str) + 1) to
allocate stack buffers for unescaping ID_VENDOR_ENC and ID_MODEL_ENC
udev properties. These property values originate from the udev database
and could theoretically be manipulated through custom udev rules or
crafted USB device descriptors. An excessively long property value
would cause unbounded stack allocation.

Add a 1024-byte cap on the alloca size and skip the unescape step for
oversized values, falling back to the raw encoded string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 14:10:34 +02:00
parent 6bcefd0d59
commit d4cf1d0d6f
1 changed files with 12 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

18
spa/plugins/alsa/alsa-udev.c
View file

@ -667,9 +667,12 @@ static int emit_added_object_info(struct impl *this, struct card *card)
if (!(str && *str)) {
str = udev_device_get_property_value(udev_device, "ID_VENDOR");
} else {
char *t = alloca(strlen(str) + 1);
unescape(str, t);
str = t;
size_t slen = strlen(str) + 1;
if (slen <= 1024) {
char *t = alloca(slen);
unescape(str, t);
str = t;
}
}
}
if (str && *str) {
@ -689,9 +692,12 @@ static int emit_added_object_info(struct impl *this, struct card *card)
if (!(str && *str)) {
str = udev_device_get_property_value(udev_device, "ID_MODEL");
} else {
char *t = alloca(strlen(str) + 1);
unescape(str, t);
str = t;
size_t slen = strlen(str) + 1;
if (slen <= 1024) {
char *t = alloca(slen);
unescape(str, t);
str = t;
}
}
}
if (str && *str)