fdo-mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-20 13:38:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/src/modules
History
Wim Taymans e277a91842 security: fix integer overflows in netjack2 MIDI packet handling 
Memory Safety: High

In netjack2_recv_midi(), the offset calculation `max_size * sub_cycle`
uses sub_cycle from an untrusted network packet header. A large
sub_cycle value could cause integer overflow, producing a small offset
that passes the subsequent bounds check and leads to an out-of-bounds
write into the MIDI data buffer.

Similarly, the bounds check `offset + len < midi_size` could itself
overflow, and the `used` size calculation from network-controlled
event_count and write_pos fields could overflow to bypass the size
check.

Fix by adding an explicit overflow check before the multiplication,
rewriting the bounds check to use subtraction (which cannot overflow
after the prior check), and adding an underflow check on the `used`
calculation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-23 17:47:27 +02:00
..
module-adapter *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-avb module-avb: es_builder: use the descriptor rather than a pointer to avoid overwriting it 2026-04-20 10:10:58 +02:00
module-client-device core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-client-node core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-jack-tunnel dlopen: support search path ending in / 2026-04-13 10:26:33 +02:00
module-metadata metadata: Added context monitor for removed globals 2024-02-12 08:40:49 +00:00
module-netjack2 security: fix integer overflows in netjack2 MIDI packet handling 2026-04-23 17:47:27 +02:00
module-profiler treewide: use SPDX tags to specify copyright information 2023-02-16 10:54:48 +00:00
module-protocol-native test: fix pod size 2026-04-08 11:28:04 +02:00
module-protocol-pulse security: fix integer overflow in PulseAudio message buffer allocation 2026-04-23 17:46:47 +02:00
module-raop fix some uninitialized variables warnings 2026-04-08 11:29:36 +02:00
module-roc pipewire: module-roc-{sink,source}: fix log format string issues 2026-02-19 19:37:15 +00:00
module-rt doc: clarify rlimits conf file 2024-01-05 10:22:28 +01:00
module-rtp module-rtp: Lower missing timeout log line from warn to trace 2026-03-30 23:45:34 +02:00
module-sendspin fix some uninitialized variables warnings 2026-04-08 11:29:36 +02:00
module-session-manager core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-vban midi: don't convert Midi in nodes 2026-03-25 11:59:43 +01:00
spa doc: move modules around to add to docs 2025-01-28 12:33:47 +01:00
zeroconf-utils zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
flatpak-utils.h modules: get also instance id for flatpak apps 2025-05-12 09:40:32 +00:00
meson.build meson: try to fix the doc build 2026-02-27 18:23:45 +01:00
module-access.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-adapter.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-avb.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-client-device.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-client-node.c modules: remove v0 protocol support 2025-07-10 16:26:01 +02:00
module-combine-stream.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-echo-cancel.c security: fix missing malloc NULL checks in echo-cancel 2026-04-23 16:25:19 +02:00
module-example-filter.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-example-sink.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-example-source.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-fallback-sink.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-ffado-driver.c midi: don't convert Midi in nodes 2026-03-25 11:59:43 +01:00
module-filter-chain.c filter-graph: use convolver2 for sofa 2026-04-21 16:52:49 +02:00
module-jack-tunnel.c docs: remove support for absolute paths from docs 2026-04-06 14:47:21 +02:00
module-jackdbus-detect.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-link-factory.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-loopback.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-metadata.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-netjack2-driver.c modules: add PRIORITY_SESSION 2026-02-16 10:38:05 +01:00
module-netjack2-manager.c node: remove node.link-group from drivers 2026-03-05 14:32:41 +01:00
module-parametric-equalizer.c module-eq: Unload filter-chain on destruction 2025-12-26 18:53:48 +00:00
module-pipe-tunnel.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-portal.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-profiler.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-protocol-native.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-protocol-pulse.c pulse-server: increase min quantum values 2025-11-06 12:52:48 +01:00
module-protocol-simple.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-pulse-tunnel.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-raop-discover.c zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
module-raop-sink.c security: clear RAOP password from memory before freeing 2026-04-23 16:59:20 +02:00
module-roc-sink.c pipewire: module-roc-{sink,source}: remove logging related unused code 2026-02-19 19:37:15 +00:00
module-roc-source.c pipewire: module-roc-{sink,source}: remove logging related unused code 2026-02-19 19:37:15 +00:00
module-rt.c module-rt: warn if setting niceness fails with rtlimit 2025-12-11 16:38:00 -08:00
module-rtp-sap.c module-rtp: Add more logging for debugging timer related issues 2026-03-30 23:45:34 +02:00
module-rtp-session.c zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
module-rtp-sink.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-rtp-source.c module-rtp-source: Only enable IGMP recovery when using multicast 2026-03-30 23:45:34 +02:00
module-scheduler-v1.c scheduler: make nodes move to IDLE when inactive 2026-04-14 14:28:29 +02:00
module-sendspin-recv.c sendspin: cleanup receive sync and logging 2026-03-01 12:49:24 +01:00
module-sendspin-send.c sendspin: negotiate the first raw format 2026-03-13 12:03:11 +01:00
module-session-manager.c Fix typos 2024-05-22 09:19:34 +02:00
module-snapcast-discover.c fix some uninitialized variables warnings 2026-04-08 11:29:36 +02:00
module-spa-device-factory.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-spa-device.c doc: move modules around to add to docs 2025-01-28 12:33:47 +01:00
module-spa-node-factory.c core: use %u format specifier for uint32_t IDs 2026-04-16 08:54:15 +00:00
module-spa-node.c doc: move modules around to add to docs 2025-01-28 12:33:47 +01:00
module-vban-recv.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-vban-send.c modules: support audio.layout where we can 2025-10-30 12:29:31 +01:00
module-x11-bell.c *: unify config.h handling 2025-05-30 10:24:13 +00:00
module-zeroconf-discover.c zeroconf: sanitize the properties 2026-02-27 17:31:42 +01:00
network-utils.h network-utils: pw_net_are_addresses_equal() function 2026-03-30 23:45:33 +02:00