Overview

File 0002-websocket-fix-some-overflows.patch of Package pipewire

From 9ad5ca2e5a2ebc90954ed76458803a8ef55160b0 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 27 Feb 2026 17:58:51 +0100
Subject: [PATCH] websocket: fix some overflows

Fix some integer and buffer overflows as suggested by Sami Farin.
---
 src/modules/module-sendspin/websocket.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/modules/module-sendspin/websocket.c b/src/modules/module-sendspin/websocket.c
index 959706d79..b6ddf629f 100644
--- a/src/modules/module-sendspin/websocket.c
+++ b/src/modules/module-sendspin/websocket.c
@@ -289,7 +289,7 @@ static int receive_websocket(struct pw_websocket_connection *conn,
 		/* header done */
 		conn->status = d[0] & 0xf;
 		if (d[1] & 0x80)
-			header =+ 4;
+			header += 4;
 		if ((d[1] & 0x7f) == 126)
 			header += 2;
 		else if ((d[1] & 0x7f) == 127)
@@ -309,7 +309,9 @@ static int receive_websocket(struct pw_websocket_connection *conn,
 			header = 8;
 		for (i = 0; i < header; i++)
 			payload_len = (payload_len << 8) | d[i + 2];
-		need += payload_len;
+		if (payload_len > (size_t)(INT_MAX - need))
+		        return -EMSGSIZE;
+		need += (int)payload_len;
 		conn->data_state++;
 	}
 	if (need == 0) {
@@ -492,7 +494,7 @@ static int receive_http_reply(struct pw_websocket_connection *conn,
 			if (sscanf(l, "HTTP/%d.%d %n%d", &v1, &v2, &message, &status) != 3)
 				return -EPROTO;
 			conn->status = status;
-			strcpy(conn->message, &l[message]);
+			snprintf(conn->message, sizeof(conn->message), "%s", &l[message]);
 			conn->content_length = 0;
 			conn->data_state++;
 		}
@@ -642,6 +644,8 @@ static int handle_input(struct pw_websocket_connection *conn)
 					current)) < 0)
 				return res;
 
+			if (conn->data_wanted > SIZE_MAX - res)
+				return -EOVERFLOW;
 			conn->data_wanted += res;
 		}
 	}
@@ -1012,8 +1016,13 @@ int pw_websocket_connection_send(struct pw_websocket_connection *conn, uint8_t o
 	uint8_t *d, *mask = NULL, maskbit = conn->maskbit;
 	size_t payload_length = 0;
 
-	for (i = 0; i < iov_len; i++)
+	for (i = 0; i < iov_len; i++) {
+		if (payload_length > SIZE_MAX - iov[i].iov_len)
+			return -EOVERFLOW;
 		payload_length += iov[i].iov_len;
+	}
+	if (payload_length > SIZE_MAX - sizeof(*msg) - 14)
+		return -EOVERFLOW;
 
 	if ((msg = calloc(1, sizeof(*msg) + 14 + payload_length)) == NULL)
 		return -errno;
-- 
GitLab
openSUSE Build Service is sponsored by
Places