mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-27 06:46:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/spa
History
Wim Taymans e3e1c4d214 security: fix integer overflow in Bluetooth codec codesize calculations 
Memory Safety: High

Several Bluetooth audio codec implementations calculate codesize by
multiplying samples * channels * sizeof(sample_type) without overflow
checks. The parameters come from Bluetooth codec negotiation, which is
influenced by the remote peer. If the multiplication overflows, codesize
wraps to a small value, causing subsequent buffer size checks to pass
while the actual data processing operates on the full (larger) sample
count, leading to heap buffer overflows.

Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP).

Add overflow checks before each codesize multiplication to ensure the
result fits in the target integer type, returning -EINVAL on overflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-24 15:55:35 +02:00
..
examples spa: examples: fix getopt usage + typos in adapter-control 2025-10-26 14:12:19 +00:00
include spa: system: make spa_poll_event compatible with epoll_events 2026-04-06 10:24:32 +00:00
include-private/spa-private spa: move dbus helpers out of bluez plugin 2024-02-05 13:03:20 +00:00
lib spa: update lib.c 2026-03-09 18:33:32 +01:00
plugins security: fix integer overflow in Bluetooth codec codesize calculations 2026-04-24 15:55:35 +02:00
tests spa/tests: remove unused #include <linux/limits.h> 2026-03-11 21:50:21 +00:00
tools tools: port various tools to the new json-builder 2026-02-26 10:51:17 +01:00
meson.build meson: Always use -fno-strict-aliasing and -fno-strict-overflow 2025-07-24 07:30:28 +00:00