mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-10-29 05:40:23 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

bluetooth: Do not attempt decoding too short faststream packet data

Browse source 
Looks like sbc_decode() would seldom access more than specified input length
bytes from input buffer if input length is less than expected frame size.

Fix potential access past allocated memory by checking if input contains
complete frame before calling sbc_decode()

Part-of: <https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/781>
This commit is contained in:
Igor V. Kovalenko 2023-02-09 23:15:55 +03:00
parent 5cefef591e
commit 5830e03036
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/modules/bluetooth/a2dp-codec-sbc.c
View file

@ -1331,6 +1331,11 @@ static size_t decode_buffer_faststream(void *codec_info, const uint8_t *input_bu
continue;
}
if (to_decode < sbc_info->frame_length) {
pa_log_debug("FastStream SBC input %lu is too short (expected frame length %lu)", to_decode, sbc_info->frame_length);
break;
}
decoded = sbc_decode(&sbc_info->sbc,
p, to_decode,
decode_buffer, sizeof(decode_buffer),