mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-01 22:58:50 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/spa/plugins
History
Barnabás Pőcze 8c892443eb spa: audioadapter: fix stack-use-after-scope when configuring format 
It is not enough for `buffer` to be alive in its current
scope because when execution enters that branch, `format`
will be set to `fmt`, which points inside `buffer`. And
since `format` is used outside that scope, `buffer` must
live longer.

This was detected by ASAN when Audacity was starting up.

  ==25007==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffdbcfef560 at pc 0x7fe44ca95db3 bp 0x7ffdbcfeeda0 sp 0x7ffdbcfeed90
  READ of size 4 at 0x7ffdbcfef560 thread T0
      #0 0x7fe44ca95db2 in spa_pod_parser_pod ../spa/include/spa/pod/parser.h:67
      #1 0x7fe44ca9a805 in spa_format_parse ../spa/include/spa/param/format-utils.h:44
      #2 0x7fe44cad293a in port_set_format ../spa/plugins/audioconvert/audioconvert.c:1934
      #3 0x7fe44cadad14 in impl_node_port_set_param ../spa/plugins/audioconvert/audioconvert.c:2038
      #4 0x7fe44ca587e2 in configure_format ../spa/plugins/audioconvert/audioadapter.c:509
      #5 0x7fe44ca60dff in negotiate_format ../spa/plugins/audioconvert/audioadapter.c:822
      #6 0x7fe44ca62bbf in impl_node_send_command ../spa/plugins/audioconvert/audioadapter.c:846
      #7 0x7fe45ea1c2f1 in node_update_state ../src/pipewire/impl-node.c:407
      #8 0x7fe45ea5137e in pw_impl_node_set_state ../src/pipewire/impl-node.c:2251
      #9 0x7fe45eb3355f in pw_work_queue_destroy ../src/pipewire/work-queue.c:142
      #10 0x7fe45b2cd6f4 in source_event_func ../spa/plugins/support/loop.c:615
      #11 0x7fe45b2c634f in loop_iterate ../spa/plugins/support/loop.c:452
      #12 0x7fe45e9ebebc in spa_hook_list_clean ../spa/include/spa/utils/hook.h:395
      #13 0x5561e03dc722 in main ../src/daemon/pipewire.c:131
      #14 0x7fe45da3c28f  (/usr/lib/libc.so.6+0x2328f)
      #15 0x7fe45da3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
      #16 0x5561e03db2a4 in _start ../sysdeps/x86_64/start.S:115

  Address 0x7ffdbcfef560 is located in stack of thread T0 at offset 160 in frame
      #0 0x7fe44ca56fa9 in configure_format ../spa/plugins/audioconvert/audioadapter.c:475

    This frame has 4 object(s):
      [32, 36) 'state' (line 493)
      [48, 56) 'fmt' (line 494)
      [80, 128) 'b' (line 492)
      [160, 4256) 'buffer' (line 491) <== Memory access at offset 160 is inside this variable
2022-12-10 09:59:08 +00:00
..
aec aec-webrtc: clarify comment 2022-12-05 12:01:23 +01:00
alsa handle read from timerfd correctly 2022-12-09 17:30:31 +01:00
audioconvert spa: audioadapter: fix stack-use-after-scope when configuring format 2022-12-10 09:59:08 +00:00
audiomixer Add some more format checks 2022-11-03 13:10:32 +01:00
audiotestsrc handle read from timerfd correctly 2022-12-09 17:30:31 +01:00
avb handle read from timerfd correctly 2022-12-09 17:30:31 +01:00
bluez5 handle read from timerfd correctly 2022-12-09 17:30:31 +01:00
control spa: clean up some port io checks 2022-09-01 15:39:34 +02:00
ffmpeg spa: ffmpeg: set spa_handle_factory::version 2022-06-16 17:29:42 +02:00
jack buffers: make alignment optional 2022-01-03 12:32:26 +01:00
libcamera libcamera: Fix 90/270 degree transforms 2022-12-07 14:15:59 +01:00
support handle read from timerfd correctly 2022-12-09 17:30:31 +01:00
test fix build some more... 2022-12-09 18:05:01 +01:00
v4l2 libcamera: fix setting controls 2022-11-14 11:22:53 +01:00
videoconvert Revert "adapter: removed unused follower_current_format" 2022-11-09 16:24:49 +01:00
videotestsrc handle read from timerfd correctly 2022-12-09 17:30:31 +01:00
volume Add some more format checks 2022-11-03 13:10:32 +01:00
vulkan fix build some more. 2022-12-09 18:10:15 +01:00
meson.build treewide: meson.build: use host_machine instead of build_machine 2022-08-17 07:34:20 +00:00