fdo-mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-09 09:28:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

bluez5: avoid heap overflow in AAC decoder

Browse source 
aacDecoder_DecodeFrame expects the number of destination INT_PCM samples,
not bytes. Since INT_PCM is int16_t (2 bytes), passing dst_size in bytes
tells the decoder the buffer is 2x larger than reality.

Note that we don't need to care about the number of channels in this
size, the decoder will do that for us.
This commit is contained in:
Wim Taymans 2026-05-08 12:49:54 +02:00
parent 6d3122c1b1
commit 136fc59765
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
spa/plugins/bluez5/a2dp-codec-aac.c
View file

@ -585,7 +585,7 @@ static int codec_decode(void *data,
return -EINVAL;
}
res = aacDecoder_DecodeFrame(this->aacdec, dst, dst_size, 0);
res = aacDecoder_DecodeFrame(this->aacdec, dst, dst_size / sizeof(INT_PCM), 0);
if (res != AAC_DEC_OK) {
spa_log_debug(log, "AAC decode frame error: 0x%04X", res);
return -EINVAL;