From e5968c00b156fd414076f31f6b4750b7c6721dca Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 29 Apr 2026 16:50:43 +0200
Subject: [PATCH] security: validate sample rate in PulseAudio
 update_stream_sample_rate

The client-provided rate was used without validation. A zero or
excessively large rate produces extreme correction values passed
to pw_stream_set_control. Reject rates that are zero or exceed
RATE_MAX.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/modules/module-protocol-pulse/pulse-server.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c
index 3ab8075ab..cf6258b57 100644
--- a/src/modules/module-protocol-pulse/pulse-server.c
+++ b/src/modules/module-protocol-pulse/pulse-server.c
@@ -4609,6 +4609,9 @@ static int do_update_stream_sample_rate(struct client *client, uint32_t command,
 	if (stream == NULL || stream->type == STREAM_TYPE_UPLOAD)
 		return -ENOENT;
 
+	if (rate == 0 || rate > RATE_MAX)
+		return -EINVAL;
+
 	stream->rate = rate;
 
 	corr = (float)rate/(float)stream->ss.rate;