maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

internal/pipewire: spa_dict trailing garbage within POD

Browse Source 
This performs the check within the bounds of the POD only. This was not caught since spa_dict was only used as the final struct field until now.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-11-25 13:39:02 +09:00
parent b1b27ac1df
commit a0eb010aab
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/pipewire/pod.go
View File

@@ -400,6 +400,8 @@ func (d *SPADict) UnmarshalPOD(data []byte) (Word, error) {
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Struct, &wireSize); err != nil { if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Struct, &wireSize); err != nil {
return wireSize, err return wireSize, err
} }
// bounds check completed in successful call to unmarshalCheckTypeBounds
data = data[:wireSize]
if size, err := Unmarshal(data, &d.NItems); err != nil { if size, err := Unmarshal(data, &d.NItems); err != nil {
return wireSize, err return wireSize, err