mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-03-19 05:33:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

audioconvert: avoid OOB mix matrix read

Browse source 
Patch by David Nowotny

In make_matrix (channelmix-ops.c), the matrix-filling loop at the done:
label allows the index i (and j in the inner loop) to grow beyond MAX_CHANNELS
when dst_paired/src_paired has sparse bits set. In that case the continue
fires for most values of i < CHANNEL_BITS, so i advances much faster than ic,
and matrix[i][j] reads off the end of the stack-allocated array.

Add bounds guards to both loop conditions so i and j cannot exceed
MAX_CHANNELS.

Fixes #5176
This commit is contained in:
Wim Taymans 2026-03-17 14:13:01 +01:00
parent 6bf81ebe59
commit e4693ebc83
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spa/plugins/audioconvert/channelmix-ops.c
View file

@ -720,7 +720,7 @@ done:
if (src_paired == 0)
src_paired = ~0LU;
for (jc = 0, ic = 0, i = 0; ic < dst_chan; i++) {
for (jc = 0, ic = 0, i = 0; ic < dst_chan && i < MAX_CHANNELS; i++) {
float sum = 0.0f;
char str1[1024], str2[1024];
struct spa_strbuf sb1, sb2;
@ -730,7 +730,7 @@ done:
if (i < CHANNEL_BITS && (dst_paired & (1UL << i)) == 0)
continue;
for (jc = 0, j = 0; jc < src_chan; j++) {
for (jc = 0, j = 0; jc < src_chan && j < MAX_CHANNELS; j++) {
if (j < CHANNEL_BITS && (src_paired & (1UL << j)) == 0)
continue;