Input Validation: High
The maap_message() handler cast the incoming network data directly to
avb_packet_maap without checking that the received data was at least
sizeof(avb_packet_maap) bytes. The caller only validates the packet is
at least avb_packet_header size, which is smaller. A truncated MAAP
packet could cause out-of-bounds reads when accessing request_start,
request_count, conflict_start, and conflict_count fields in the probe
and defend handlers.
Fix by adding a minimum packet length check at the beginning of
maap_message().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This gets the next key and value from an object. This function is better
because it will skip key/value pairs that don't fit in the array to hold
the key.
The previous code patter would stop parsing the object as soon as a key
larger than the available space was found.
Add spa_json_begin_array/object to replace
spa_json_init+spa_json_begin_array/object
This function is better because it does not waste a useless spa_json
structure as an iterator. The relaxed versions also error out when the
container is mismatched because parsing a mismatched container is not
going to give any results anyway.
Make pw_getrandom() more usable by handling the EINTR case and returning
< 0 when there was an error or not enough random data was available.
Make a new pw_random() function that uses pw_getrandom() but falls back
to a pseudo random number generator otherwise. This pseudo random number
generator is seeded with either data from the urandom source or from the
current time when pipewire is initialized.
In most cases where crytographic security is not required pw_random()
should be easier to use.
