Wim Taymans c525cfcced security: reject negative DBus array lengths in Bluetooth transport ... Memory Safety: High dbus_message_iter_get_fixed_array() returns the array length as a signed int. A malformed DBus message could produce a negative length value. In the Configuration property handler, the check 'if (!len)' does not catch negative values, allowing negative lengths to be passed to malloc() and memcpy() where sign extension to size_t creates enormous values. The debug logging call spa_debug_log_mem() also receives the negative length cast to size_t, causing an out-of-bounds read. In the Capabilities/Metadata handler, 'if (n)' is similarly true for negative values, and the negative int assigned to the size_t *size output parameter corrupts the stored length. Fix by using 'len <= 0' and 'n > 0' checks respectively, and move debug logging after validation. Explicitly zero the length on the negative/zero path to prevent storing corrupted sizes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>		2026-04-27 11:04:52 +02:00
..
examples	spa: examples: fix getopt usage + typos in adapter-control	2025-10-26 14:12:19 +00:00
include	spa: add spa_alloca that does overflow and limit checks	2026-04-27 10:53:44 +02:00
include-private/spa-private	spa: move dbus helpers out of bluez plugin	2024-02-05 13:03:20 +00:00
lib	spa: update lib.c	2026-03-09 18:33:32 +01:00
plugins	security: reject negative DBus array lengths in Bluetooth transport	2026-04-27 11:04:52 +02:00
tests	spa/tests: remove unused #include <linux/limits.h>	2026-03-11 21:50:21 +00:00
tools	tools: port various tools to the new json-builder	2026-02-26 10:51:17 +01:00
meson.build	meson: Always use -fno-strict-aliasing and -fno-strict-overflow	2025-07-24 07:30:28 +00:00