From f00c84ccada3dad5309998931b5836ab5c0479a4 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 16:15:10 +0200 Subject: [PATCH] security: replace strcpy with memcpy in alsa_id_decode Memory Safety: Low alsa_id_decode() uses strcpy() to copy into a caller-provided buffer without knowing its size. Although all current callers allocate the buffer correctly (via alloca(strlen(src) + 1) or with a pre-validated fixed buffer), the function signature does not encode this requirement. Replace strcpy with memcpy using the known source length to make the bounded copy explicit. Co-Authored-By: Claude Opus 4.6 --- spa/plugins/alsa/acp/alsa-mixer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/spa/plugins/alsa/acp/alsa-mixer.c b/spa/plugins/alsa/acp/alsa-mixer.c index b18d7c6c9..299a78413 100644 --- a/spa/plugins/alsa/acp/alsa-mixer.c +++ b/spa/plugins/alsa/acp/alsa-mixer.c @@ -63,6 +63,7 @@ char *pa_alsa_mixer_id_to_string(char *dst, size_t dst_len, pa_alsa_mixer_id *id } static int alsa_id_decode(const char *src, char *name, int *index) { + size_t src_len = strlen(src); char *idx, c; int i; @@ -70,7 +71,7 @@ static int alsa_id_decode(const char *src, char *name, int *index) { c = src[0]; /* Strip quotes in entries such as 'Speaker',1 or "Speaker",1 */ if (c == '\'' || c == '"') { - strcpy(name, src + 1); + memcpy(name, src + 1, src_len); for (i = 0; name[i] != '\0' && name[i] != c; i++); idx = NULL; if (name[i]) { @@ -78,7 +79,7 @@ static int alsa_id_decode(const char *src, char *name, int *index) { idx = strchr(name + i + 1, ','); } } else { - strcpy(name, src); + memcpy(name, src, src_len + 1); idx = strchr(name, ','); } if (idx == NULL)