diff options
| author | Igor V. Kovalenko <igor.v.kovalenko@gmail.com> | 2023-02-09 23:15:55 +0300 |
|---|---|---|
| committer | Igor V. Kovalenko <igor.v.kovalenko@gmail.com> | 2023-02-10 00:25:11 +0300 |
| commit | 5830e03036f51fc06687e61be000708b464a094e (patch) | |
| tree | 617483a7aaad6368f313edb0e70daf092ac41814 /src/modules/bluetooth/a2dp-codec-sbc.c | |
| parent | 5cefef591ef6c0fd1c514202b0fcfbe466cab873 (diff) | |
| download | pulseaudio-5830e03036f51fc06687e61be000708b464a094e.tar.gz | |
bluetooth: Do not attempt decoding too short faststream packet data
Looks like sbc_decode() would seldom access more than specified input length
bytes from input buffer if input length is less than expected frame size.
Fix potential access past allocated memory by checking if input contains
complete frame before calling sbc_decode()
Part-of: <https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/781>
Diffstat (limited to 'src/modules/bluetooth/a2dp-codec-sbc.c')
| -rw-r--r-- | src/modules/bluetooth/a2dp-codec-sbc.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/modules/bluetooth/a2dp-codec-sbc.c b/src/modules/bluetooth/a2dp-codec-sbc.c index 5476697f8..1306c79f2 100644 --- a/src/modules/bluetooth/a2dp-codec-sbc.c +++ b/src/modules/bluetooth/a2dp-codec-sbc.c @@ -1331,6 +1331,11 @@ static size_t decode_buffer_faststream(void *codec_info, const uint8_t *input_bu continue; } + if (to_decode < sbc_info->frame_length) { + pa_log_debug("FastStream SBC input %lu is too short (expected frame length %lu)", to_decode, sbc_info->frame_length); + break; + } + decoded = sbc_decode(&sbc_info->sbc, p, to_decode, decode_buffer, sizeof(decode_buffer), |