mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-03 09:01:54 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

*: Missing bounds checks in POD handling

Browse source 
There were missing bounds checks for ill-formed POD all over the place.
This commit is contained in:
Demi Marie Obenour 2025-06-06 14:48:33 -04:00 committed by Wim Taymans
parent 7ac94f1a69
commit fb315b9050
7 changed files with 104 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/modules/module-protocol-pulse/collect.c
View file

@ -524,8 +524,11 @@ uint32_t collect_transport_codec_info(struct pw_manager_object *card,
if (iid != SPA_PROP_bluetoothAudioCodec)
continue;
if (type->body.type != SPA_CHOICE_Enum ||
type->body.child.type != SPA_TYPE_Int)
if (type->pod.size < sizeof(struct spa_pod_choice_body) +
2 * sizeof(int32_t) ||
type->body.type != SPA_CHOICE_Enum ||
type->body.child.type != SPA_TYPE_Int ||
type->body.child.size != sizeof(int32_t))
continue;
/*

2
src/modules/module-protocol-pulse/format.c
View file

@ -683,7 +683,7 @@ static int add_int(struct format_info *info, const char *k, struct spa_pod *para
return -ENOENT;
val = spa_pod_get_values(&prop->value, &n_values, &choice);
if (val->type != SPA_TYPE_Int)
if (!spa_pod_is_int(val))
return -ENOTSUP;
if (n_values == 0)