PulseAudio Marge Bot pushed to branch master at PulseAudio / pulseaudio
Commits: 5830e030 by Igor V. Kovalenko at 2023-02-10T00:25:11+03:00 bluetooth: Do not attempt decoding too short faststream packet data Looks like sbc_decode() would seldom access more than specified input length bytes from input buffer if input length is less than expected frame size. Fix potential access past allocated memory by checking if input contains complete frame before calling sbc_decode() Part-of: <https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/781> - - - - - 1 changed file: - src/modules/bluetooth/a2dp-codec-sbc.c Changes: ===================================== src/modules/bluetooth/a2dp-codec-sbc.c ===================================== @@ -1331,6 +1331,11 @@ static size_t decode_buffer_faststream(void *codec_info, const uint8_t *input_bu continue; } + if (to_decode < sbc_info->frame_length) { + pa_log_debug("FastStream SBC input %lu is too short (expected frame length %lu)", to_decode, sbc_info->frame_length); + break; + } + decoded = sbc_decode(&sbc_info->sbc, p, to_decode, decode_buffer, sizeof(decode_buffer), View it on GitLab: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/commit/5830e03036f51fc06687e61be000708b464a094e -- View it on GitLab: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/commit/5830e03036f51fc06687e61be000708b464a094e You're receiving this email because of your account on gitlab.freedesktop.org.