Memory Safety: Medium
The do_exec() function in the filter-graph builtin plugin parses a
JSON array of arguments into a fixed-size argv[512] stack buffer
without checking whether argc exceeds the array bounds. A crafted
filter-graph configuration with more than 511 arguments would cause
a stack buffer overflow.
Add a bounds check before each insertion to ensure argc stays within
the array limits, reserving space for the NULL terminator.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
alsa_id_decode() uses strcpy() to copy into a caller-provided buffer
without knowing its size. Although all current callers allocate the
buffer correctly (via alloca(strlen(src) + 1) or with a pre-validated
fixed buffer), the function signature does not encode this requirement.
Replace strcpy with memcpy using the known source length to make the
bounded copy explicit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
dbus_message_iter_get_fixed_array() returns the array length as a
signed int. A malformed DBus message could produce a negative length
value. In the Configuration property handler, the check 'if (!len)'
does not catch negative values, allowing negative lengths to be passed
to malloc() and memcpy() where sign extension to size_t creates
enormous values. The debug logging call spa_debug_log_mem() also
receives the negative length cast to size_t, causing an out-of-bounds
read.
In the Capabilities/Metadata handler, 'if (n)' is similarly true for
negative values, and the negative int assigned to the size_t *size
output parameter corrupts the stored length.
Fix by using 'len <= 0' and 'n > 0' checks respectively, and move
debug logging after validation. Explicitly zero the length on the
negative/zero path to prevent storing corrupted sizes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Critical
When a Bluetooth BIS metadata entry has length=0 (e.g. when the JSON
config contains a "type" key but no "value" key, leaving the
calloc-initialized length at zero), the expression
'metadata_entry->length - 1' underflows to SIZE_MAX because the int
value is implicitly converted to size_t in the memcpy call. This causes
memcpy to read far past the metadata_entry->value buffer, leading to a
heap buffer overflow and likely crash.
Add a check that metadata_entry->length >= 1 before the subtraction,
rejecting entries with invalid length.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
The broadcast_code field is a 16-byte array that can be filled with
exactly 16 bytes of data via memcpy without null termination when the
input string length equals BROADCAST_CODE_LEN. The field is then
logged with %s format, which reads past the buffer boundary into
adjacent struct fields, potentially disclosing sensitive data.
Fix by changing the boundary check from > to >= to ensure room for
the null terminator, and copy the terminator along with the data.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Make a function like alloca but with overflow checks and a max
allocation size.
Use this function where we can and also make sure that all alloca calls
are in some way limited.
Memory Safety: High
Several Bluetooth audio codec implementations calculate codesize by
multiplying samples * channels * sizeof(sample_type) without overflow
checks. The parameters come from Bluetooth codec negotiation, which is
influenced by the remote peer. If the multiplication overflows, codesize
wraps to a small value, causing subsequent buffer size checks to pass
while the actual data processing operates on the full (larger) sample
count, leading to heap buffer overflows.
Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP).
Add overflow checks before each codesize multiplication to ensure the
result fits in the target integer type, returning -EINVAL on overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In descriptor_load(), the initial calloc for the descriptor struct, the
strdup for the label, and four calloc calls for port arrays (input,
output, control, notify) all lacked NULL checks. If any allocation fails
under memory pressure, the code proceeds to dereference NULL pointers
when populating the port arrays, causing a crash.
Add NULL checks after all allocation calls, using the existing
descriptor_unref cleanup path which already handles freeing partially
initialized descriptors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In new_setup_simd(), the return value of malloc() for the PFFFT_Setup
struct was not checked before dereferencing. Similarly,
pffft_aligned_malloc() for the data buffer was not checked. If either
allocation fails, the code dereferences NULL causing a crash.
Add NULL checks for both allocations, freeing previously allocated
memory on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Shuffle FFT output into real/imag blocks so that they are easier to
handle in the complex multiply. Do the unshuffle again before doing the
inverse FFT.
When streams are skipped via continue in updateDescriptors(),
the loop index i and descriptorSetLen diverge. The image info
is written at descriptorSetLen but pImageInfo was referencing
index i, pointing to uninitialized memory and causing incorrect
Vulkan descriptor updates.
Fix by using descriptorSetLen consistently.
Signed-off-by: Wang Yu <wangyu@uniontech.com>
We don't need 2 convolvers anymore, we can use the same convolver with
2 outputs with the left and right ir.
Add latency option to the sofa plugin. I believe the latency of the
SOFA filters is by default 0, so use that.
Add support for multiple convolver outputs. This makes things more
efficient because we only need to do the input FFT once to produce the N
outputs.
Add convolver2 that can have multiple outputs.
port_use_buffers and related port methods increment port_id when the
implicit output direction differs from the adapter's primary direction.
port_reuse_buffer only receives a port id but applies to output ports,
so apply the same offset before forwarding to this->target.
Also update videoadapter for the same mapping.
MT7925 fails to setup a SCO connection that results to working LC3-24kHz
audio. Other controllers (Intel etc) appear to work OK.
Add quirk for disabling this codec, and disable it for this Mediatek
controller.
ACP was re-selecting the “best” port on every port availability event,
even when a port was already explicitly selected by the user. This
differs from PulseAudio’s behavior, where port switching decisions are
left to higher-level policy.
This caused issues on devices where Line Out (speakers) and Headphones
share the same analog interface: when headphones are plugged in, ACP
would immediately switch away from the user-selected Line Out, or end up
in a state where no sound is produced despite selecting speakers explicitly from
clients like pwvucontrol.
Fix this by only re-evaluating and switching ports when:
- no active port is currently selected, or
- the active port has become unavailable
This preserves manual user choices and prevents ACP from fighting client
port selections during route activation.
Additionally, adjust ALSA mixer paths to better separate Line Out and
Headphones behavior:
- Disable Line Out controls in the headphones path
- Add explicit Line Out and Auto-Mute Mode handling in the lineout path
Together, these changes align PipeWire’s behavior more closely with
PulseAudio and fix cases where selecting speakers while headphones are
plugged results in no audio output.
Signed-off-by: John Titor <masumrezarock100@gmail.com>
The CHECK_PORT condition in impl_node_port_reuse_buffer was inverted with a negation operator, causing the function to reject valid output ports and accept invalid ones.
Fixes the logic so that valid ports proceed to buffer recycling and invalid ports are properly rejected.
When a node is inactive but linked to a driver, the only reason it is
not being scheduled is because it is inactive.
We already set up the links and negotiate the format and buffers to
prepare going to RUNNING. This patch now also make the node go to IDLE,
which makes the adapter negotiate a forma and buffers with the internal
node.
This makes things more symetrical, when linking a node, it becomes IDLE,
when activating it becomes RUNNABLE, when inactive it goes back to IDLE.
The switch to RUNNING will also be faster when things are already set up
in the IDLE state.
The main advantage is that it allows us to implement the startup of
corked streams in pulseaudio better. Before this patch we had to set the
stream to active to make it go through the Format and buffer negotiation
and then quickly set it back to inactive, hopefully without skipping a
cycle. After this patch, the corked stream goes all the way to IDLE,
where it then waits to become active.
See #4991
