From 0f45d784d83908b6e010f29c80b16dbb42b9147a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Barnab=C3=A1s=20P=C5=91cze?= <pobrn@protonmail.com>
Date: Mon, 20 Jun 2022 17:22:45 +0200
Subject: [PATCH] pulse-server: update client::name on UPDATE_CLIENT_PROPLIST
 command

`client::name` points to a string that is owned by `client::props`,
so when the property list is updated, it needs to be refreshed as well.
Otherwise, various use-after-frees can be triggered, for example:

==1471586==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200007e7d0 at pc 0x7f14390755d0 bp 0x7ffe23edee30 sp 0x7ffe23ede5a8
READ of size 3 at 0x60200007e7d0 thread T0
    #0 0x7f14390755cf in printf_common /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:553
    #1 0x7f1439077215 in __interceptor_vsnprintf /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1665
    #2 0x7f1434ead47d in spa_vscnprintf ../spa/include/spa/utils/string.h:239
    #3 0x7f1434eae2ae in impl_log_logtv ../spa/plugins/support/logger.c:138
    #4 0x7f14385cacc7 in pw_log_logt ../src/pipewire/log.c:135
    #5 0x7f1433aef8e9 in do_set_profile ../src/modules/module-protocol-pulse/pulse-server.c:4656
    #6 0x7f1433b0af4d in handle_packet ../src/modules/module-protocol-pulse/server.c:109
    #7 0x7f1433b0e747 in do_read ../src/modules/module-protocol-pulse/server.c:276
    #8 0x7f1433b0eb04 in on_client_data ../src/modules/module-protocol-pulse/server.c:306
    #9 0x7f1434ec56a0 in source_io_func ../spa/plugins/support/loop.c:442
    #10 0x7f1434ec4a21 in loop_iterate ../spa/plugins/support/loop.c:430
    #11 0x7f14385dc23d in pw_main_loop_run ../src/pipewire/main-loop.c:148
    #12 0x55b065d73722 in main ../src/daemon/pipewire.c:131
    #13 0x7f143742928f  (/usr/lib/libc.so.6+0x2928f)
    #14 0x7f1437429349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #15 0x55b065d722a4 in _start (./src/daemon/pipewire-pulse+0x42a4)

0x60200007e7d0 is located 0 bytes inside of 16-byte region [0x60200007e7d0,0x60200007e7e0)
freed by thread T0 here:
    #0 0x7f14390be672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f14386a775a in do_replace ../src/pipewire/properties.c:414
    #2 0x7f14386a785e in pw_properties_set ../src/pipewire/properties.c:441
    #3 0x7f14386a658b in pw_properties_update ../src/pipewire/properties.c:309
    #4 0x7f1433adb055 in do_update_proplist ../src/modules/module-protocol-pulse/pulse-server.c:3246
    #5 0x7f1433b0af4d in handle_packet ../src/modules/module-protocol-pulse/server.c:109
    #6 0x7f1433b0e747 in do_read ../src/modules/module-protocol-pulse/server.c:276
    #7 0x7f1433b0eb04 in on_client_data ../src/modules/module-protocol-pulse/server.c:306
    #8 0x7f1434ec56a0 in source_io_func ../spa/plugins/support/loop.c:442
    #9 0x7f1434ec4a21 in loop_iterate ../spa/plugins/support/loop.c:430
    #10 0x7f14385dc23d in pw_main_loop_run ../src/pipewire/main-loop.c:148
    #11 0x55b065d73722 in main ../src/daemon/pipewire.c:131
    #12 0x7f143742928f  (/usr/lib/libc.so.6+0x2928f)

previously allocated by thread T0 here:
    #0 0x7f1439072faa in __interceptor_strdup /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:439
    #1 0x7f14386a6fe2 in do_replace ../src/pipewire/properties.c:394
    #2 0x7f14386a785e in pw_properties_set ../src/pipewire/properties.c:441
    #3 0x7f1433a6c52d in read_props ../src/modules/module-protocol-pulse/message.c:147
    #4 0x7f1433a6f467 in message_get ../src/modules/module-protocol-pulse/message.c:359
    #5 0x7f1433ab3191 in do_set_client_name ../src/modules/module-protocol-pulse/pulse-server.c:1030
    #6 0x7f1433b0af4d in handle_packet ../src/modules/module-protocol-pulse/server.c:109
    #7 0x7f1433b0e747 in do_read ../src/modules/module-protocol-pulse/server.c:276
    #8 0x7f1433b0eb04 in on_client_data ../src/modules/module-protocol-pulse/server.c:306
    #9 0x7f1434ec56a0 in source_io_func ../spa/plugins/support/loop.c:442
    #10 0x7f1434ec4a21 in loop_iterate ../spa/plugins/support/loop.c:430
    #11 0x7f14385dc23d in pw_main_loop_run ../src/pipewire/main-loop.c:148
    #12 0x55b065d73722 in main ../src/daemon/pipewire.c:131
    #13 0x7f143742928f  (/usr/lib/libc.so.6+0x2928f)
---
 src/modules/module-protocol-pulse/client.h       | 2 +-
 src/modules/module-protocol-pulse/pulse-server.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/modules/module-protocol-pulse/client.h b/src/modules/module-protocol-pulse/client.h
index d93445840..b1f30f630 100644
--- a/src/modules/module-protocol-pulse/client.h
+++ b/src/modules/module-protocol-pulse/client.h
@@ -56,7 +56,7 @@ struct client {
 	struct server *server;
 
 	int ref;
-	const char *name;
+	const char *name; /* owned by `client::props` */
 
 	struct spa_source *source;
 
diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c
index 5d230afb5..23524bb5a 100644
--- a/src/modules/module-protocol-pulse/pulse-server.c
+++ b/src/modules/module-protocol-pulse/pulse-server.c
@@ -3245,6 +3245,7 @@ static int do_update_proplist(struct client *client, uint32_t command, uint32_t
 	} else {
 		if (pw_properties_update(client->props, &props->dict) > 0) {
 			client_update_quirks(client);
+			client->name = pw_properties_get(client->props, PW_KEY_APP_NAME);
 			pw_core_update_properties(client->core, &client->props->dict);
 		}
 	}