security: fix unchecked alloca in pulse protocol message handling

Memory Safety: High The add_stream_group() function computes a buffer size from the sum of multiple string lengths, including user-controlled dictionary values (media role, app name, etc.), and passes it to alloca() without any bounds check. A malicious client could send very long property strings causing an integer overflow in the size computation (wrapping a negative/small int) or an excessively large stack allocation, leading to a stack overflow. Add a bounds check to reject sizes that are negative or exceed 1024 bytes before calling alloca(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-30 06:46:49 -04:00 · 2026-04-24 16:08:45 +02:00 · 2026-04-24 16:08:45 +02:00 · d60ae4a1df
commit d60ae4a1df
parent 0f8d5c6e57
1 changed files with 2 additions and 0 deletions
--- a/src/modules/module-protocol-pulse/message.c
+++ b/src/modules/module-protocol-pulse/message.c
@ -534,6 +534,8 @@ static void add_stream_group(struct message *m, struct spa_dict *dict, const cha

 	write_string(m, key);
 	l = strlen(prefix) + strlen(id) + strlen(str) + 6; /* "-by-" , ":" and \0 */
+	if (l < 0 || l > 1024)
+		return;
 	b = alloca(l);
 	snprintf(b, l, "%s-by-%s:%s", prefix, id, str);
 	write_u32(m, l);