security: fix integer overflow in Bluetooth codec codesize calculations

Memory Safety: High Several Bluetooth audio codec implementations calculate codesize by multiplying samples * channels * sizeof(sample_type) without overflow checks. The parameters come from Bluetooth codec negotiation, which is influenced by the remote peer. If the multiplication overflows, codesize wraps to a small value, causing subsequent buffer size checks to pass while the actual data processing operates on the full (larger) sample count, leading to heap buffer overflows. Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP). Add overflow checks before each codesize multiplication to ensure the result fits in the target integer type, returning -EINVAL on overflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-27 06:46:48 -04:00 · 2026-04-23 18:50:14 +02:00 · 2026-04-23 18:50:14 +02:00 · e3e1c4d214
commit e3e1c4d214
parent 00413a3263
4 changed files with 30 additions and 2 deletions
--- a/spa/plugins/bluez5/a2dp-codec-opus-g.c
+++ b/spa/plugins/bluez5/a2dp-codec-opus-g.c
@ -8,6 +8,7 @@
 #include <stddef.h>
 #include <errno.h>
 #include <arpa/inet.h>
+#include <limits.h>

 #include <spa/debug/types.h>
 #include <spa/param/audio/type-info.h>
@ -330,6 +331,10 @@ static void *codec_init(const struct media_codec *codec, uint32_t flags,
 	}

 	this->e.samples = this->e.frame_dms * this->samplerate / 10000;
+	if (this->e.samples > INT_MAX / (int)sizeof(float) / SPA_MAX((int)this->channels, 1)) {
+		res = -EINVAL;
+		goto error;
+	}
 	this->e.codesize = this->e.samples * (int)this->channels * sizeof(float);

 	int header_size = sizeof(struct rtp_header) + sizeof(struct rtp_payload);