mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-06 13:30:01 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

*: Missing bounds checks in POD handling

Browse source 
There were missing bounds checks for ill-formed POD all over the place.
This commit is contained in:
Demi Marie Obenour 2025-06-06 14:48:33 -04:00 committed by Wim Taymans
parent 7ac94f1a69
commit fb315b9050
7 changed files with 104 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/modules/module-protocol-pulse/collect.c
View file

@ -524,8 +524,11 @@ uint32_t collect_transport_codec_info(struct pw_manager_object *card,
if (iid != SPA_PROP_bluetoothAudioCodec)
continue;
if (type->body.type != SPA_CHOICE_Enum ||
type->body.child.type != SPA_TYPE_Int)
if (type->pod.size < sizeof(struct spa_pod_choice_body) +
2 * sizeof(int32_t) ||
type->body.type != SPA_CHOICE_Enum ||
type->body.child.type != SPA_TYPE_Int ||
type->body.child.size != sizeof(int32_t))
continue;
/*

2
src/modules/module-protocol-pulse/format.c
View file

@ -683,7 +683,7 @@ static int add_int(struct format_info *info, const char *k, struct spa_pod *para
return -ENOENT;
val = spa_pod_get_values(&prop->value, &n_values, &choice);
if (val->type != SPA_TYPE_Int)
if (!spa_pod_is_int(val))
return -ENOTSUP;
if (n_values == 0)

32
src/tools/pw-dump.c
View file

@ -341,12 +341,16 @@ static void put_pod_value(struct data *d, const char *key, const struct spa_type
put_key(d, key);
switch (type) {
case SPA_TYPE_Bool:
if (size < sizeof(int32_t))
break;
put_value(d, NULL, *(int32_t*)body ? "true" : "false");
break;
case SPA_TYPE_Id:
{
const char *str;
char fallback[32];
if (size < sizeof(uint32_t))
break;
uint32_t id = *(uint32_t*)body;
str = spa_debug_type_find_short_name(info, *(uint32_t*)body);
if (str == NULL) {
@ -357,24 +361,38 @@ static void put_pod_value(struct data *d, const char *key, const struct spa_type
break;
}
case SPA_TYPE_Int:
if (size < sizeof(int32_t))
break;
put_int(d, NULL, *(int32_t*)body);
break;
case SPA_TYPE_Fd:
case SPA_TYPE_Long:
if (size < sizeof(int64_t))
break;
put_int(d, NULL, *(int64_t*)body);
break;
case SPA_TYPE_Float:
if (size < sizeof(float))
break;
put_double(d, NULL, *(float*)body);
break;
case SPA_TYPE_Double:
if (size < sizeof(double))
break;
put_double(d, NULL, *(double*)body);
break;
case SPA_TYPE_String:
if (size < 1 || ((const char *)body)[size - 1])
break;
put_string(d, NULL, (const char*)body);
break;
case SPA_TYPE_Rectangle:
{
struct spa_rectangle *r = (struct spa_rectangle *)body;
struct spa_rectangle *r;
if (size < sizeof(*r))
break;
r = (struct spa_rectangle *)body;
put_begin(d, NULL, "{", STATE_SIMPLE);
put_int(d, "width", r->width);
put_int(d, "height", r->height);
@ -383,7 +401,11 @@ static void put_pod_value(struct data *d, const char *key, const struct spa_type
}
case SPA_TYPE_Fraction:
{
struct spa_fraction *f = (struct spa_fraction *)body;
struct spa_fraction *f;
if (size < sizeof(*f))
break;
f = (struct spa_fraction *)body;
put_begin(d, NULL, "{", STATE_SIMPLE);
put_int(d, "num", f->num);
put_int(d, "denom", f->denom);
@ -392,8 +414,12 @@ static void put_pod_value(struct data *d, const char *key, const struct spa_type
}
case SPA_TYPE_Array:
{
struct spa_pod_array_body *b = (struct spa_pod_array_body *)body;
struct spa_pod_array_body *b;
void *p;
if (size < sizeof(*b))
break;
b = (struct spa_pod_array_body *)body;
info = info && info->values ? info->values: info;
put_begin(d, NULL, "[", STATE_SIMPLE);
SPA_POD_ARRAY_BODY_FOREACH(b, size, p)