mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix unchecked alloca in pulse protocol message handling

Browse source 
Memory Safety: High

The add_stream_group() function computes a buffer size from the sum of
multiple string lengths, including user-controlled dictionary values
(media role, app name, etc.), and passes it to alloca() without any
bounds check. A malicious client could send very long property strings
causing an integer overflow in the size computation (wrapping a
negative/small int) or an excessively large stack allocation, leading
to a stack overflow.

Add a bounds check to reject sizes that are negative or exceed 1024
bytes before calling alloca().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 16:08:45 +02:00
parent 0f8d5c6e57
commit d60ae4a1df
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/modules/module-protocol-pulse/message.c
View file

@ -534,6 +534,8 @@ static void add_stream_group(struct message *m, struct spa_dict *dict, const cha
write_string(m, key); write_string(m, key);
l = strlen(prefix) + strlen(id) + strlen(str) + 6; /* "-by-" , ":" and \0 */ l = strlen(prefix) + strlen(id) + strlen(str) + 6; /* "-by-" , ":" and \0 */
if (l < 0 || l > 1024)
return;
b = alloca(l); b = alloca(l);
snprintf(b, l, "%s-by-%s:%s", prefix, id, str); snprintf(b, l, "%s-by-%s:%s", prefix, id, str);
write_u32(m, l); write_u32(m, l);