mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/spa
History
Wim Taymans f3538dd7fe security: validate metadata length before subtraction in BIS config 
Memory Safety: Critical

When a Bluetooth BIS metadata entry has length=0 (e.g. when the JSON
config contains a "type" key but no "value" key, leaving the
calloc-initialized length at zero), the expression
'metadata_entry->length - 1' underflows to SIZE_MAX because the int
value is implicitly converted to size_t in the memcpy call. This causes
memcpy to read far past the metadata_entry->value buffer, leading to a
heap buffer overflow and likely crash.

Add a check that metadata_entry->length >= 1 before the subtraction,
rejecting entries with invalid length.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-27 11:03:54 +02:00
..
examples spa: examples: fix getopt usage + typos in adapter-control 2025-10-26 14:12:19 +00:00
include spa: add spa_alloca that does overflow and limit checks 2026-04-27 10:53:44 +02:00
include-private/spa-private spa: move dbus helpers out of bluez plugin 2024-02-05 13:03:20 +00:00
lib spa: update lib.c 2026-03-09 18:33:32 +01:00
plugins security: validate metadata length before subtraction in BIS config 2026-04-27 11:03:54 +02:00
tests spa/tests: remove unused #include <linux/limits.h> 2026-03-11 21:50:21 +00:00
tools tools: port various tools to the new json-builder 2026-02-26 10:51:17 +01:00
meson.build meson: Always use -fno-strict-aliasing and -fno-strict-overflow 2025-07-24 07:30:28 +00:00