mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-06 13:30:01 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

*: Missing bounds checks in POD handling

Browse source 
There were missing bounds checks for ill-formed POD all over the place.
This commit is contained in:
Demi Marie Obenour 2025-06-06 14:48:33 -04:00 committed by Wim Taymans
parent 7ac94f1a69
commit fb315b9050
7 changed files with 104 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

12
spa/include/spa/pod/compare.h
View file

@ -186,8 +186,12 @@ SPA_API_POD_COMPARE int spa_pod_compare_is_compatible_flags(uint32_t type, const
{
switch (type) {
case SPA_TYPE_Int:
if (size < sizeof(int32_t))
return -EINVAL;
return ((*(int32_t *) r1) & (*(int32_t *) r2)) != 0;
case SPA_TYPE_Long:
if (size < sizeof(int64_t))
return -EINVAL;
return ((*(int64_t *) r1) & (*(int64_t *) r2)) != 0;
default:
return -ENOTSUP;
@ -197,18 +201,24 @@ SPA_API_POD_COMPARE int spa_pod_compare_is_compatible_flags(uint32_t type, const
SPA_API_POD_COMPARE int spa_pod_compare_is_step_of(uint32_t type, const void *r1,
const void *r2, uint32_t size SPA_UNUSED)
const void *r2, uint32_t size)
{
switch (type) {
case SPA_TYPE_Int:
if (size < sizeof(int32_t))
return -EINVAL;
return *(int32_t *) r1 % *(int32_t *) r2 == 0;
case SPA_TYPE_Long:
if (size < sizeof(int64_t))
return -EINVAL;
return *(int64_t *) r1 % *(int64_t *) r2 == 0;
case SPA_TYPE_Rectangle:
{
const struct spa_rectangle *rec1 = (struct spa_rectangle *) r1,
*rec2 = (struct spa_rectangle *) r2;
if (size < sizeof(struct spa_rectangle))
return -EINVAL;
return (rec1->width % rec2->width == 0 &&
rec1->height % rec2->height == 0);
}