mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-28 06:46:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/src/modules
History
Wim Taymans 4305d7e82d security: fix integer overflows in netjack2 peer buffer allocations 
Memory Safety: High

In netjack2_init(), several buffer sizes are computed by multiplying
network-provided session parameters (period_size, channel counts,
kbps) without overflow checks. A malicious network peer can send
crafted session parameters that cause these multiplications to
overflow, resulting in undersized buffer allocations. Subsequent
writes to these buffers then overflow the heap.

Specific issues fixed:
1. midi_size = period_size * sizeof(float) * max_midi_channels can
   overflow, causing calloc to allocate a small buffer.
2. encoded_size = max_encoded_size * max_audio_channels can overflow
   for both INT and OPUS encoders.
3. OPUS kbps * period_size * 1024 numerator can overflow uint32_t;
   widen to uint64_t for the intermediate calculation.
4. Division by zero if sample_rate is 0 in OPUS encoder path.
5. Missing NULL checks on calloc for empty and midi_data buffers.
6. Channel counts not capped to MAX_CHANNELS before use.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-24 15:55:35 +02:00
..
module-adapter *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-avb module-avb: fix GET_NAME to validate length before field reads and reply with fixed size 2026-04-24 11:50:23 +02:00
module-client-device core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-client-node core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-jack-tunnel dlopen: support search path ending in / 2026-04-13 10:26:33 +02:00
module-metadata
module-netjack2 security: fix integer overflows in netjack2 peer buffer allocations 2026-04-24 15:55:35 +02:00
module-profiler
module-protocol-native test: fix pod size 2026-04-08 11:28:04 +02:00
module-protocol-pulse security: fix integer overflow in PulseAudio message buffer allocation 2026-04-23 17:46:47 +02:00
module-raop fix some uninitialized variables warnings 2026-04-08 11:29:36 +02:00
module-roc pipewire: module-roc-{sink,source}: fix log format string issues 2026-02-19 19:37:15 +00:00
module-rt
module-rtp module-rtp: Lower missing timeout log line from warn to trace 2026-03-30 23:45:34 +02:00
module-sendspin fix some uninitialized variables warnings 2026-04-08 11:29:36 +02:00
module-session-manager core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-vban security: fix missing packet length validation in VBAN MIDI receive 2026-04-24 15:55:35 +02:00
spa doc: move modules around to add to docs 2025-01-28 12:33:47 +01:00
zeroconf-utils zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
flatpak-utils.h modules: get also instance id for flatpak apps 2025-05-12 09:40:32 +00:00
meson.build meson: try to fix the doc build 2026-02-27 18:23:45 +01:00
module-access.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-adapter.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-avb.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-client-device.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-client-node.c modules: remove v0 protocol support 2025-07-10 16:26:01 +02:00
module-combine-stream.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-echo-cancel.c security: fix missing malloc NULL checks in echo-cancel 2026-04-23 16:25:19 +02:00
module-example-filter.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-example-sink.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-example-source.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-fallback-sink.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-ffado-driver.c midi: don't convert Midi in nodes 2026-03-25 11:59:43 +01:00
module-filter-chain.c filter-graph: use convolver2 for sofa 2026-04-21 16:52:49 +02:00
module-jack-tunnel.c docs: remove support for absolute paths from docs 2026-04-06 14:47:21 +02:00
module-jackdbus-detect.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-link-factory.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-loopback.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-metadata.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-netjack2-driver.c modules: add PRIORITY_SESSION 2026-02-16 10:38:05 +01:00
module-netjack2-manager.c node: remove node.link-group from drivers 2026-03-05 14:32:41 +01:00
module-parametric-equalizer.c module-eq: Unload filter-chain on destruction 2025-12-26 18:53:48 +00:00
module-pipe-tunnel.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-portal.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-profiler.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-protocol-native.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-protocol-pulse.c pulse-server: increase min quantum values 2025-11-06 12:52:48 +01:00
module-protocol-simple.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-pulse-tunnel.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-raop-discover.c zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
module-raop-sink.c security: clear sensitive auth data from stack buffers in RAOP 2026-04-23 17:49:43 +02:00
module-roc-sink.c pipewire: module-roc-{sink,source}: remove logging related unused code 2026-02-19 19:37:15 +00:00
module-roc-source.c pipewire: module-roc-{sink,source}: remove logging related unused code 2026-02-19 19:37:15 +00:00
module-rt.c module-rt: warn if setting niceness fails with rtlimit 2025-12-11 16:38:00 -08:00
module-rtp-sap.c module-rtp: Add more logging for debugging timer related issues 2026-03-30 23:45:34 +02:00
module-rtp-session.c zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
module-rtp-sink.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-rtp-source.c module-rtp-source: Only enable IGMP recovery when using multicast 2026-03-30 23:45:34 +02:00
module-scheduler-v1.c scheduler: make nodes move to IDLE when inactive 2026-04-14 14:28:29 +02:00
module-sendspin-recv.c sendspin: cleanup receive sync and logging 2026-03-01 12:49:24 +01:00
module-sendspin-send.c sendspin: negotiate the first raw format 2026-03-13 12:03:11 +01:00
module-session-manager.c Fix typos 2024-05-22 09:19:34 +02:00
module-snapcast-discover.c fix some uninitialized variables warnings 2026-04-08 11:29:36 +02:00
module-spa-device-factory.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-spa-device.c doc: move modules around to add to docs 2025-01-28 12:33:47 +01:00
module-spa-node-factory.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-spa-node.c doc: move modules around to add to docs 2025-01-28 12:33:47 +01:00
module-vban-recv.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-vban-send.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-x11-bell.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-zeroconf-discover.c zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
network-utils.h network-utils: pw_net_are_addresses_equal() function 2026-03-30 23:45:33 +02:00