mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2026-04-30 06:46:49 -04:00
c525cfcced
Memory Safety: High dbus_message_iter_get_fixed_array() returns the array length as a signed int. A malformed DBus message could produce a negative length value. In the Configuration property handler, the check 'if (!len)' does not catch negative values, allowing negative lengths to be passed to malloc() and memcpy() where sign extension to size_t creates enormous values. The debug logging call spa_debug_log_mem() also receives the negative length cast to size_t, causing an out-of-bounds read. In the Capabilities/Metadata handler, 'if (n)' is similarly true for negative values, and the negative int assigned to the size_t *size output parameter corrupts the stored length. Fix by using 'len <= 0' and 'n > 0' checks respectively, and move debug logging after validation. Explicitly zero the length on the negative/zero path to prevent storing corrupted sizes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| aec | ||
| alsa | ||
| audioconvert | ||
| audiomixer | ||
| audiotestsrc | ||
| avb | ||
| bluez5 | ||
| control | ||
| ffmpeg | ||
| filter-graph | ||
| jack | ||
| libcamera | ||
| support | ||
| test | ||
| v4l2 | ||
| videoconvert | ||
| videotestsrc | ||
| volume | ||
| vulkan | ||
| meson.build | ||