mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-27 06:46:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix missing packet length validation in VBAN MIDI receive

Browse source 
Memory Safety: High

In vban_midi_receive(), the received buffer is cast to struct
vban_header and its n_frames field is accessed before validating
that the packet is large enough to contain the header. A truncated
packet shorter than VBAN_HEADER_SIZE would cause an out-of-bounds
read.

Fix by checking that len >= VBAN_HEADER_SIZE before accessing the
header, matching the fix applied to vban_audio_receive().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 17:56:57 +02:00
parent 3709cac938
commit d4ec630b2f
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/modules/module-vban/midi.c
View file

@ -190,8 +190,11 @@ static int vban_midi_receive(struct impl *impl, uint8_t *buffer, ssize_t len)
ssize_t hlen; ssize_t hlen;
uint32_t n_frames; uint32_t n_frames;
hdr = (struct vban_header*)buffer;
hlen = VBAN_HEADER_SIZE; hlen = VBAN_HEADER_SIZE;
if (len < hlen)
return 0;
hdr = (struct vban_header*)buffer;
n_frames = hdr->n_frames; n_frames = hdr->n_frames;
if (impl->have_sync && impl->n_frames != n_frames) { if (impl->have_sync && impl->n_frames != n_frames) {