fdo-mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-20 06:38:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/src/modules/module-netjack2
History
Wim Taymans e277a91842 security: fix integer overflows in netjack2 MIDI packet handling 
Memory Safety: High

In netjack2_recv_midi(), the offset calculation `max_size * sub_cycle`
uses sub_cycle from an untrusted network packet header. A large
sub_cycle value could cause integer overflow, producing a small offset
that passes the subsequent bounds check and leads to an out-of-bounds
write into the MIDI data buffer.

Similarly, the bounds check `offset + len < midi_size` could itself
overflow, and the `used` size calculation from network-controlled
event_count and write_pos fields could overflow to bypass the size
check.

Fix by adding an explicit overflow check before the multiplication,
rewriting the bounds check to use subtraction (which cannot overflow
after the prior check), and adding an underflow check on the `used`
calculation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-23 17:47:27 +02:00
..
packets.h netjack2: add driver.mode again 2025-05-06 10:44:14 +02:00
peer.c security: fix integer overflows in netjack2 MIDI packet handling 2026-04-23 17:47:27 +02:00