]> code.delx.au - pulseaudio/commitdiff
delx.au / code / pulseaudio / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4a05bc9)
Fix a DoS with allocating overly large silence buffers. (Identified by Luigi Auriemma...
authorLennart Poettering <lennart@poettering.net>
Wed, 23 May 2007 16:59:03 +0000 (16:59 +0000)
committerLennart Poettering <lennart@poettering.net>
Wed, 23 May 2007 16:59:03 +0000 (16:59 +0000)
git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1450 fefdeb5f-60dc-0310-8127-8f9354f1896f

src/pulsecore/sample-util.c patch | blob | history

diff --git a/src/pulsecore/sample-util.c b/src/pulsecore/sample-util.c
index 411787af032de204957062a2e29b1f6db2b54bfc..c8e7acf06f4ce8175cad38c898166f9dc41845fc 100644 (file)
--- a/src/pulsecore/sample-util.c
+++ b/src/pulsecore/sample-util.c
@@ -38,13 +38,25 @@
 #include "sample-util.h"
 #include "endianmacros.h"
 
+#define PA_SILENCE_MAX (1024*1024*1)
+
 pa_memblock *pa_silence_memblock_new(pa_mempool *pool, const pa_sample_spec *spec, size_t length) {
+    size_t fs;
     assert(pool);
     assert(spec);
 
     if (length == 0)
         length = pa_bytes_per_second(spec)/20; /* 50 ms */
 
+    if (length > PA_SILENCE_MAX)
+        length = PA_SILENCE_MAX;
+
+    fs = pa_frame_size(spec);
+    length = ((PA_SILENCE_MAX+fs-1) / fs) * fs;
+
+    if (length <= 0)
+        length = fs;
+    
     return pa_silence_memblock(pa_memblock_new(pool, length), spec);
 }