From d4cf1d0d6f1ffd65773782b1dee87d611e3bb661 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 29 Apr 2026 14:10:34 +0200
Subject: [PATCH] security: bound alloca size for udev property strings

Memory Safety: Low

The udev device enumeration code uses alloca(strlen(str) + 1) to
allocate stack buffers for unescaping ID_VENDOR_ENC and ID_MODEL_ENC
udev properties. These property values originate from the udev database
and could theoretically be manipulated through custom udev rules or
crafted USB device descriptors. An excessively long property value
would cause unbounded stack allocation.

Add a 1024-byte cap on the alloca size and skip the unescape step for
oversized values, falling back to the raw encoded string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 spa/plugins/alsa/alsa-udev.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/spa/plugins/alsa/alsa-udev.c b/spa/plugins/alsa/alsa-udev.c
index 9c3e12f20..e97604b58 100644
--- a/spa/plugins/alsa/alsa-udev.c
+++ b/spa/plugins/alsa/alsa-udev.c
@@ -667,9 +667,12 @@ static int emit_added_object_info(struct impl *this, struct card *card)
 			if (!(str && *str)) {
 				str = udev_device_get_property_value(udev_device, "ID_VENDOR");
 			} else {
-				char *t = alloca(strlen(str) + 1);
-				unescape(str, t);
-				str = t;
+				size_t slen = strlen(str) + 1;
+				if (slen <= 1024) {
+					char *t = alloca(slen);
+					unescape(str, t);
+					str = t;
+				}
 			}
 		}
 		if (str && *str) {
@@ -689,9 +692,12 @@ static int emit_added_object_info(struct impl *this, struct card *card)
 			if (!(str && *str)) {
 				str = udev_device_get_property_value(udev_device, "ID_MODEL");
 			} else {
-				char *t = alloca(strlen(str) + 1);
-				unescape(str, t);
-				str = t;
+				size_t slen = strlen(str) + 1;
+				if (slen <= 1024) {
+					char *t = alloca(slen);
+					unescape(str, t);
+					str = t;
+				}
 			}
 		}
 		if (str && *str)