From fb4e14898563afa89c41b0a0a5fc7ae667560274 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 27 Apr 2026 12:15:18 +0200
Subject: [PATCH] conf: avoid overflow in pw_strv_insert_at

Purely theoretical when there are a lot of arguments...
---
 src/pipewire/conf.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/pipewire/conf.c b/src/pipewire/conf.c
index 85f96b5e0..58ccc2fb3 100644
--- a/src/pipewire/conf.c
+++ b/src/pipewire/conf.c
@@ -25,6 +25,7 @@
 #endif
 
 #include <spa/utils/cleanup.h>
+#include <spa/utils/overflow.h>
 #include <spa/utils/result.h>
 #include <spa/utils/string.h>
 #include <spa/utils/json.h>
@@ -929,8 +930,10 @@ static char **pw_strv_insert_at(char **strv, int len, int pos, const char *str)
 	if (pos < 0 || pos > len)
 		pos = len;
 
-	n = realloc(strv, sizeof(char*) * (len + 2));
-	if (n == NULL) {
+	size_t alloc_size;
+	if (spa_overflow_add((size_t)len, (size_t)2, &alloc_size) ||
+	    spa_overflow_mul(alloc_size, sizeof(char*), &alloc_size) ||
+	    (n = realloc(strv, alloc_size)) == NULL) {
 		pw_free_strv(strv);
 		return NULL;
 	}