mirror of
https://gitlab.freedesktop.org/pipewire/pipewire.git
synced 2026-04-27 06:46:48 -04:00
e3e1c4d214
Memory Safety: High Several Bluetooth audio codec implementations calculate codesize by multiplying samples * channels * sizeof(sample_type) without overflow checks. The parameters come from Bluetooth codec negotiation, which is influenced by the remote peer. If the multiplication overflows, codesize wraps to a small value, causing subsequent buffer size checks to pass while the actual data processing operates on the full (larger) sample count, leading to heap buffer overflows. Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP). Add overflow checks before each codesize multiplication to ensure the result fits in the target integer type, returning -EINVAL on overflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| aec | ||
| alsa | ||
| audioconvert | ||
| audiomixer | ||
| audiotestsrc | ||
| avb | ||
| bluez5 | ||
| control | ||
| ffmpeg | ||
| filter-graph | ||
| jack | ||
| libcamera | ||
| support | ||
| test | ||
| v4l2 | ||
| videoconvert | ||
| videotestsrc | ||
| volume | ||
| vulkan | ||
| meson.build | ||