pipewire

mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00

Wim Taymans c525cfcced security: reject negative DBus array lengths in Bluetooth transport Memory Safety: High dbus_message_iter_get_fixed_array() returns the array length as a signed int. A malformed DBus message could produce a negative length value. In the Configuration property handler, the check 'if (!len)' does not catch negative values, allowing negative lengths to be passed to malloc() and memcpy() where sign extension to size_t creates enormous values. The debug logging call spa_debug_log_mem() also receives the negative length cast to size_t, causing an out-of-bounds read. In the Capabilities/Metadata handler, 'if (n)' is similarly true for negative values, and the negative int assigned to the size_t *size output parameter corrupts the stored length. Fix by using 'len <= 0' and 'n > 0' checks respectively, and move debug logging after validation. Explicitly zero the length on the negative/zero path to prevent storing corrupted sizes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>		2026-04-27 11:04:52 +02:00
..
g722	bluez5: asha-codec-g722: Drop the dependency on FFmpeg	2025-02-13 19:55:18 +05:30
a2dp-codec-aac.c	bluez5: aac: Use VBR encoding with Mode 5 by default	2026-04-05 20:24:47 +03:00
a2dp-codec-aptx.c	bluez5: add codec_data for codec-private configuration data	2025-11-21 08:33:14 +00:00
a2dp-codec-caps.h	bluez5: aac: fix for A2DP v1.4 using rfa bits for more channels	2025-07-10 14:12:15 +00:00
a2dp-codec-faststream.c	bluez5: add codec_data for codec-private configuration data	2025-11-21 08:33:14 +00:00
a2dp-codec-lc3plus.c	security: fix integer overflow in Bluetooth codec codesize calculations	2026-04-24 15:55:35 +02:00
a2dp-codec-ldac.c	bluez5: add codec_data for codec-private configuration data	2025-11-21 08:33:14 +00:00
a2dp-codec-opus-g.c	security: fix integer overflow in Bluetooth codec codesize calculations	2026-04-24 15:55:35 +02:00
a2dp-codec-opus.c	security: fix integer overflow in Bluetooth codec codesize calculations	2026-04-24 15:55:35 +02:00
a2dp-codec-sbc.c	bluez5: sbc: clean up codec_enum_config	2026-03-09 15:53:35 +00:00
asha-codec-g722.c	bluez5: replace codec->bap/asha flags with codec->kind enum	2025-06-13 17:51:16 +00:00
backend-hsphfpd.c	bluez5: indicate codec support status for ofono/hsphfpd	2025-06-13 17:51:16 +00:00
backend-native.c	bluez5: add quirk for LC3-24kHz for HFP	2026-04-17 22:10:32 +00:00
backend-ofono.c	bluez5: indicate codec support status for ofono/hsphfpd	2025-06-13 17:51:16 +00:00
bap-codec-caps.h	bluez5: parse and enable configuration of TMAP / GMAP features	2025-12-06 11:23:48 +00:00
bap-codec-lc3.c	security: fix integer overflow in Bluetooth codec codesize calculations	2026-04-24 15:55:35 +02:00
bluez-hardware.conf	bluez5: more MT7925 quirks	2026-04-19 16:02:56 +00:00
bluez5-dbus.c	security: reject negative DBus array lengths in Bluetooth transport	2026-04-27 11:04:52 +02:00
bluez5-device.c	bluez: Discard latency and quality codecs worse than SBC for A2DP auto profiles.	2026-03-24 07:28:14 +00:00
bt-latency.h	bluez5: deal with missing TX timestamps	2026-01-11 17:55:26 +02:00
codec-loader.c	bluez5: support LC3-24kHz HFP codec available on some Apple devices	2025-06-13 22:15:29 +00:00
codec-loader.h
dbus-monitor.c
dbus-monitor.h
decode-buffer.h	spa: add and use spa_overflow macros	2026-04-24 15:55:35 +02:00
defs.h	bluez5: add quirk for LC3-24kHz for HFP	2026-04-17 22:10:32 +00:00
hci.c
hfp-codec-caps.h	bluez5: remove HFP codec id from transports	2025-06-13 17:51:16 +00:00
hfp-codec-cvsd.c	bluez5: fix wrong use of SPA_POD_CHOICE_ENUM_Int	2025-11-03 22:11:04 +00:00
hfp-codec-lc3-a127.c	bluez5: fix wrong use of SPA_POD_CHOICE_ENUM_Int	2025-11-03 22:11:04 +00:00
hfp-codec-lc3-swb.c	bluez5: fix wrong use of SPA_POD_CHOICE_ENUM_Int	2025-11-03 22:11:04 +00:00
hfp-codec-msbc.c	bluez5: fix wrong use of SPA_POD_CHOICE_ENUM_Int	2025-11-03 22:11:04 +00:00
hfp-h2.h	bluez5: add HFP codecs in the media codec API	2025-06-13 17:51:16 +00:00
iso-io.c	bluez5: iso-io: don't use streams without tx_latency enabled for fill level calculation	2026-04-09 08:00:37 +00:00
iso-io.h	bluez5: iso-io: add debug option for forcing same data in all streams	2026-01-11 17:55:26 +02:00
media-codecs.c	bluez5: add codec_data for codec-private configuration data	2025-11-21 08:33:14 +00:00
media-codecs.h	bluez5: set some BAP Context metadata value on streams	2025-11-21 08:33:14 +00:00
media-sink.c	bluez5: fix crash due to debug_mono	2026-01-12 19:57:56 +02:00
media-source.c	bluez5: media-source: don't crash if BAP streams doesn't have iso_io	2026-03-19 15:39:18 +00:00
meson.build	bluez5: add PLC for MSBC using spandsp	2025-07-12 19:59:33 +00:00
midi-enum.c	*: unify config.h handling	2025-05-30 10:24:13 +00:00
midi-node.c	mixer: handle control.ump property	2026-03-25 11:59:43 +01:00
midi-parser.c
midi-server.c	bluez5: fix some coverity issues	2025-06-14 14:34:55 +03:00
midi.h
modemmanager.c	spa: bluez: modemmanager: Add support for memory dialing for PTS tests	2025-12-15 08:56:03 +00:00
modemmanager.h
org.bluez.xml
player.c	spa: bluez: mark dbus vtables `static`	2025-11-07 12:28:16 +00:00
player.h
plc.h	bluez5: add PLC for MSBC using spandsp	2025-07-12 19:59:33 +00:00
plugin.c	spa: export log topic enumerations	2024-01-04 10:02:55 +00:00
quirks.c	bluez5: add quirk for LC3-24kHz for HFP	2026-04-17 22:10:32 +00:00
rate-control.h	Fix spelling errors in comments and log messages	2026-04-13 07:20:11 +00:00
README-MIDI.md
README-OPUS-A2DP.md
README-SBC-XQ.md
README-Telephony.md	bluez5: telephony: implement asynchronous D-Bus calls	2025-08-01 15:39:06 +00:00
rtp.h
sco-io.c	bluez5: sco-io: send keepalive TX data if sink is not feeding it	2025-09-29 14:15:46 +00:00
telephony.c	spa: add and use spa_overflow macros	2026-04-24 15:55:35 +02:00
telephony.h	bluez5: telephony: implement asynchronous D-Bus calls	2025-08-01 15:39:06 +00:00
test-midi.c
upower.c	spa: move dbus helpers out of bluez plugin	2024-02-05 13:03:20 +00:00
upower.h