mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix OOB read in IEC958 format enum parsing

Browse source 
In the SPA_CHOICE_Enum case, values[index+1] was used to skip the
default value at index 0, but the bounds check only validated index,
not index+1. Move bounds checks into each case with the correct limit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-30 09:19:41 +02:00
parent 390874e7c3
commit e1f4c441f4
1 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/modules/module-protocol-pulse/format.c
View file

@ -750,16 +750,17 @@ static int format_info_iec958_from_param(struct format_info *info, struct spa_po
if (val->type != SPA_TYPE_Id) if (val->type != SPA_TYPE_Id)
return -ENOTSUP; return -ENOTSUP;
if (index >= n_values)
return -ENOENT;
values = SPA_POD_BODY(val); values = SPA_POD_BODY(val);
switch (choice) { switch (choice) {
case SPA_CHOICE_None: case SPA_CHOICE_None:
if (index >= n_values)
return -ENOENT;
info->encoding = format_encoding_from_id(values[index]); info->encoding = format_encoding_from_id(values[index]);
break; break;
case SPA_CHOICE_Enum: case SPA_CHOICE_Enum:
if (index + 1 >= n_values)
return -ENOENT;
info->encoding = format_encoding_from_id(values[index+1]); info->encoding = format_encoding_from_id(values[index+1]);
break; break;
default: default: