pipewire

mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00

Wim Taymans 06421554d3 security: cap alloca size in JSON-to-POD string conversion Memory Safety: Medium spa_json_to_pod_part() uses alloca(len+1) to allocate a stack buffer for JSON string values, where len comes from the JSON parser. Since this function is recursive (for nested JSON objects/arrays), a crafted JSON document with large string values can cause stack exhaustion through unbounded alloca calls. Add a size check capping the alloca to 8192 bytes, which is generous for all legitimate PipeWire configuration values (type names, IDs, property strings) while preventing stack overflow from malicious or malformed JSON input. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-28 11:52:41 +02:00
..
spa	security: cap alloca size in JSON-to-POD string conversion	2026-04-28 11:52:41 +02:00
meson.build	spa: expose utils/cleanup.h for external users	2023-10-11 19:56:11 +02:00

Wim Taymans 06421554d3 security: cap alloca size in JSON-to-POD string conversion

Memory Safety: Medium

spa_json_to_pod_part() uses alloca(len+1) to allocate a stack buffer
for JSON string values, where len comes from the JSON parser. Since
this function is recursive (for nested JSON objects/arrays), a
crafted JSON document with large string values can cause stack
exhaustion through unbounded alloca calls.

Add a size check capping the alloca to 8192 bytes, which is generous
for all legitimate PipeWire configuration values (type names, IDs,
property strings) while preventing stack overflow from malicious or
malformed JSON input.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-28 11:52:41 +02:00

spa

security: cap alloca size in JSON-to-POD string conversion

2026-04-28 11:52:41 +02:00

meson.build

spa: expose utils/cleanup.h for external users

2023-10-11 19:56:11 +02:00