Memory Safety: Medium
Two calloc() calls in backend-native.c do not check the return value
before dereferencing the pointer:
1. rfcomm_send_cmd_enqueue() allocates an rfcomm_cmd struct and
immediately passes cmd->cmd to vsnprintf without a NULL check.
2. rfcomm_hfp_ag_clcc() allocates an updated_call struct and
immediately dereferences updated_call->id without a NULL check.
Both would crash on allocation failure. Add NULL checks that return
an error instead of dereferencing NULL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
The udev device enumeration code uses alloca(strlen(str) + 1) to
allocate stack buffers for unescaping ID_VENDOR_ENC and ID_MODEL_ENC
udev properties. These property values originate from the udev database
and could theoretically be manipulated through custom udev rules or
crafted USB device descriptors. An excessively long property value
would cause unbounded stack allocation.
Add a 1024-byte cap on the alloca size and skip the unescape step for
oversized values, falling back to the raw encoded string.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
parse_graph() does not check the return values of calloc() for
input_names/output_names arrays, or strdup() for individual name
entries. If any allocation fails, the code dereferences a NULL pointer
or stores NULL without detection. Add NULL checks that return -ENOMEM
on allocation failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
ladspa_plugin_make_desc() calls calloc() twice without checking the
return value. If either allocation fails, the code dereferences a NULL
pointer, causing a crash. Add NULL checks after both calloc calls and
properly free the descriptor struct if the ports allocation fails.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
spa_bt_midi_server_new() did not check the return value of strdup()
when duplicating the characteristic path. On allocation failure, a
NULL chr_path would be returned as part of the server object,
leading to a NULL pointer dereference when later used. Add a NULL
check that jumps to the existing fail cleanup path.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
Multiple allocation results in the HSP/HFP daemon backend were not
checked for NULL:
- transport_data->transport_path strdup in new_audio_connection()
- endpoint->remote_address and local_address strdup in property parsing
- t_path strdup before spa_bt_transport_create()
- endpoint calloc and endpoint->path strdup in interface enumeration
- backend->hsphfpd_service_id strdup after registration
Each could cause a NULL pointer dereference under memory pressure. Add
appropriate NULL checks with error returns matching the existing patterns
in each function (DBUS_HANDLER_RESULT_NEED_MEMORY or -ENOMEM).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
Two issues in the LV2 filter-graph plugin:
1. uri_table_map(): realloc() result was assigned directly to
table->data, losing the original pointer on failure (memory leak)
and causing a NULL pointer dereference on the next access. Also
the subsequent strdup() had no NULL check. Fixed by using a
temporary pointer for realloc and checking strdup's return.
2. lv2_state_retrieve(): realloc() of sd->tmp was used without a
NULL check, so a failed allocation would cause sd->tmp to become
NULL and be immediately passed to spa_json_parse_stringn(). Fixed
by checking the realloc result before assignment.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
Four strdup() calls in the ModemManager Bluetooth integration had no
NULL checks, which could lead to NULL pointer dereferences under
memory pressure:
- mm_parse_call_properties(): call->number assignment
- mm_parse_interfaces(): this->modem.path assignment
- mm_filter_cb(): call_object->path assignment (also leaked calloc
on failure)
- mm_register(): this->allowed_modem_device assignment
Each site now checks for NULL and handles the failure appropriately
for its context (early return, goto cleanup, or return error).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Limit the delay in the convolver to 10 seconds.
Limit the convolver block sizes to 64K.
Avoid overflows when using large rates, file size or number of
channels in the provided impulse response.
Memory Safety: Medium
In the fallback code path when spa-plugins support is not compiled in,
calloc() for the output sample buffer was not checked for NULL. If the
allocation fails (e.g., due to a large n_samples value from filter
configuration), spa_memcpy would dereference a NULL pointer.
Fixed by adding a NULL check and returning NULL on allocation failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
The AVB PCM ringbuffer allocation used calloc(1, size * 4) which has
two issues: the multiplication can overflow for large ringbuffer_size
values (derived from quantum_limit config parameter), and the return
value was never checked for NULL.
Fixed by using calloc(size, 4) which lets calloc check for overflow
internally, and added a NULL check for the allocation result.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
Multiple calloc() calls for node port arrays and the graph handle
array were not checked for NULL returns. If memory allocation fails,
the code immediately dereferences the NULL pointers in subsequent
loops, causing a crash. An attacker who can influence the filter
graph configuration (e.g., through config files specifying many
ports) could potentially trigger this condition.
Fixed by adding NULL checks after all unchecked calloc calls and
properly cleaning up on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
File and Resource Handling: Medium
The V4L2 device file descriptor was opened without the O_CLOEXEC flag.
If a child process is subsequently spawned (e.g., via fork+exec), the
video device fd would be inherited, potentially allowing the child
process unauthorized access to the camera device.
Fixed by adding O_CLOEXEC to the open() flags.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
File and Resource Handling: Medium
Several file and socket operations were missing the close-on-exec flag,
which causes file descriptors to leak to child processes created via
fork+exec. This could allow child processes unintended access to
privileged resources.
- node-driver.c: SOCK_DGRAM socket for SIOCETHTOOL ioctl leaked to
child processes
- pw-container.c: Unix domain listen socket leaked to spawned
container processes
- compress-offload-api.c: ALSA compress-offload device fd leaked to
child processes
Added O_CLOEXEC to open() calls and SOCK_CLOEXEC to socket() calls.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
The do_exec() function in the filter-graph builtin plugin parses a
JSON array of arguments into a fixed-size argv[512] stack buffer
without checking whether argc exceeds the array bounds. A crafted
filter-graph configuration with more than 511 arguments would cause
a stack buffer overflow.
Add a bounds check before each insertion to ensure argc stays within
the array limits, reserving space for the NULL terminator.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
alsa_id_decode() uses strcpy() to copy into a caller-provided buffer
without knowing its size. Although all current callers allocate the
buffer correctly (via alloca(strlen(src) + 1) or with a pre-validated
fixed buffer), the function signature does not encode this requirement.
Replace strcpy with memcpy using the known source length to make the
bounded copy explicit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
dbus_message_iter_get_fixed_array() returns the array length as a
signed int. A malformed DBus message could produce a negative length
value. In the Configuration property handler, the check 'if (!len)'
does not catch negative values, allowing negative lengths to be passed
to malloc() and memcpy() where sign extension to size_t creates
enormous values. The debug logging call spa_debug_log_mem() also
receives the negative length cast to size_t, causing an out-of-bounds
read.
In the Capabilities/Metadata handler, 'if (n)' is similarly true for
negative values, and the negative int assigned to the size_t *size
output parameter corrupts the stored length.
Fix by using 'len <= 0' and 'n > 0' checks respectively, and move
debug logging after validation. Explicitly zero the length on the
negative/zero path to prevent storing corrupted sizes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Critical
When a Bluetooth BIS metadata entry has length=0 (e.g. when the JSON
config contains a "type" key but no "value" key, leaving the
calloc-initialized length at zero), the expression
'metadata_entry->length - 1' underflows to SIZE_MAX because the int
value is implicitly converted to size_t in the memcpy call. This causes
memcpy to read far past the metadata_entry->value buffer, leading to a
heap buffer overflow and likely crash.
Add a check that metadata_entry->length >= 1 before the subtraction,
rejecting entries with invalid length.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
The broadcast_code field is a 16-byte array that can be filled with
exactly 16 bytes of data via memcpy without null termination when the
input string length equals BROADCAST_CODE_LEN. The field is then
logged with %s format, which reads past the buffer boundary into
adjacent struct fields, potentially disclosing sensitive data.
Fix by changing the boundary check from > to >= to ensure room for
the null terminator, and copy the terminator along with the data.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Make a function like alloca but with overflow checks and a max
allocation size.
Use this function where we can and also make sure that all alloca calls
are in some way limited.
Memory Safety: High
Several Bluetooth audio codec implementations calculate codesize by
multiplying samples * channels * sizeof(sample_type) without overflow
checks. The parameters come from Bluetooth codec negotiation, which is
influenced by the remote peer. If the multiplication overflows, codesize
wraps to a small value, causing subsequent buffer size checks to pass
while the actual data processing operates on the full (larger) sample
count, leading to heap buffer overflows.
Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP).
Add overflow checks before each codesize multiplication to ensure the
result fits in the target integer type, returning -EINVAL on overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In descriptor_load(), the initial calloc for the descriptor struct, the
strdup for the label, and four calloc calls for port arrays (input,
output, control, notify) all lacked NULL checks. If any allocation fails
under memory pressure, the code proceeds to dereference NULL pointers
when populating the port arrays, causing a crash.
Add NULL checks after all allocation calls, using the existing
descriptor_unref cleanup path which already handles freeing partially
initialized descriptors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Some audio hardware reports output jacks as "Line Out" rather than
"Headphone" or generic analog outputs. Without an explicit "Line Out"
element in the SPA configuration, these ports may be ignored or
misidentified, leading to missing output options in desktop settings.
This change adds "Line Out" as a recognized element in both the
headphones and lineout SPA configuration files, improving compatibility
with a wider range of audio devices.
ACP was re-selecting the “best” port on every port availability event,
even when a port was already explicitly selected by the user. This
differs from PulseAudio’s behavior, where port switching decisions are
left to higher-level policy.
This caused issues on devices where Line Out (speakers) and Headphones
share the same analog interface: when headphones are plugged in, ACP
would immediately switch away from the user-selected Line Out, or end up
in a state where no sound is produced despite selecting speakers explicitly from
clients like pwvucontrol.
Fix this by only re-evaluating and switching ports when:
- no active port is currently selected, or
- the active port has become unavailable
This preserves manual user choices and prevents ACP from fighting client
port selections during route activation.
Additionally, adjust ALSA mixer paths to better separate Line Out and
Headphones behavior:
- Disable Line Out controls in the headphones path
- Add explicit Line Out and Auto-Mute Mode handling in the lineout path
Together, these changes align PipeWire’s behavior more closely with
PulseAudio and fix cases where selecting speakers while headphones are
plugged results in no audio output.
Signed-off-by: John Titor <masumrezarock100@gmail.com>
The CHECK_PORT condition in impl_node_port_reuse_buffer was inverted with a negation operator, causing the function to reject valid output ports and accept invalid ones.
Fixes the logic so that valid ports proceed to buffer recycling and invalid ports are properly rejected.
When a node is inactive but linked to a driver, the only reason it is
not being scheduled is because it is inactive.
We already set up the links and negotiate the format and buffers to
prepare going to RUNNING. This patch now also make the node go to IDLE,
which makes the adapter negotiate a forma and buffers with the internal
node.
This makes things more symetrical, when linking a node, it becomes IDLE,
when activating it becomes RUNNABLE, when inactive it goes back to IDLE.
The switch to RUNNING will also be faster when things are already set up
in the IDLE state.
The main advantage is that it allows us to implement the startup of
corked streams in pulseaudio better. Before this patch we had to set the
stream to active to make it go through the Format and buffer negotiation
and then quickly set it back to inactive, hopefully without skipping a
cycle. After this patch, the corked stream goes all the way to IDLE,
where it then waits to become active.
See #4991
When the port is destroyed we need to remove it from the mix_list or
else the process function will keep trying to use the invalid memory.
This is because the port logic does not want to call any functions on
the port (like clearing the IO or Format) after it emitted the destroy
signal and we need to clean up ourselves.
Fixes#5221
Memory Safety: Medium
In new_setup_simd(), the return value of malloc() for the PFFFT_Setup
struct was not checked before dereferencing. Similarly,
pffft_aligned_malloc() for the data buffer was not checked. If either
allocation fails, the code dereferences NULL causing a crash.
Add NULL checks for both allocations, freeing previously allocated
memory on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
