There is no limit on the number of inputs/outputs of a graph but the
filter-chain assumes it is at most 128 and also that there are at most
128 buffer datas.
Increase the limit (1024) and clamp and log an error when the
filter-graph has more channels. Also clamp the buffer datas so that we
don't overflow the stack allocated buffers.
module-access: add NULL check after pw_properties_new for
socket_access.
module-pulse-tunnel: add NULL check after 4MB calloc for ring
buffer.
module-rt: add NULL check after calloc in thread create.
module-rtp-session: add goto error after failed
pw_net_parse_address instead of falling through.
module-snapcast-discover: fix missing null-termination on
network-received data before logging it as a string.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three modules had "impl->capture_info.rate = !impl->playback_info.rate"
which evaluates to 0 (logical NOT of a non-zero rate) instead of
copying the playback rate. This is a copy-paste typo from the line
above which correctly uses "= impl->capture_info.rate".
Affects module-filter-chain, module-loopback, module-example-filter.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
module-filter-chain: fix NULL pointer dereference when
pw_stream_dequeue_buffer returns NULL and out->requested is
accessed outside the NULL check.
module-zeroconf-discover: add NULL checks for name, type,
host_name, address, and port from mDNS lookups that could be
missing in malformed announcements.
module-raop-sink: cap net.mtu to 9000 to prevent stack overflow
via VLA uint32_t out[8 + mtu].
module-rtp-sap: fix buffer over-read in SDP "i=" line parsing
that read past a self-inserted null terminator. Also fix fd leak
when fd is 0 (fd > 0 should be fd >= 0).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The aec_method parameter is interpolated into a SPA library path
as "aec/libspa-aec-%s". A client could use "../" sequences to
load arbitrary SPA plugins. Reject values containing ".." or "/".
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A PulseAudio client can load this module with an arbitrarily complex
blocklist regex, causing catastrophic backtracking in regexec on
every new device. Cap the regex string at 1024 characters.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A negative max-clients value in the config is parsed as int then
assigned to uint32_t, wrapping to UINT32_MAX and effectively
disabling the client limit.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
When sink_name/source_name is not provided, pw_properties_get for
PW_KEY_NODE_NAME returns NULL, which is then passed to
pw_properties_setf as a %s argument.
Add NULL check before calling pw_properties_setf.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A client-supplied device name ending in ".monitor" was stack-allocated
via strndupa without any size limit. Since protocol messages can be up
to 16MB, a malicious client could send a very long device name and
overflow the stack, crashing the daemon.
Cap the strndupa length at MAX_NAME (1024) in both find_device and
do_set_default.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
