From 4d450861f7ff701e4b10c35abda7a1af64d9f7ef Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Mon, 5 May 2025 23:52:42 +0200 Subject: [PATCH] load_afd(): Double check shared memory sizes. The shared memory ID is sent by a trusted source, so it is a programming error (rather than a runtime error that could be handled) if the size of the shared memory area is smaller than the size of an audio file data structure. Thus, the right thing to do is to abort immediately in this case. --- aft.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/aft.c b/aft.c index 01cbb96d..132f5119 100644 --- a/aft.c +++ b/aft.c @@ -632,15 +632,18 @@ err: } /** - * Extract a afd stored in a shared memory area. + * Extract an audio file data structure from a shared memory area. * - * Attach the shared memory area given by \a shmid, load the audio file data - * stored therein and detach the area afterwards. Called by vss, after - * receiving a positive response to the request for the next audio file. - + - * \param shmid The identifier of the shared memory area containing the afd. + * This is called by the virtual streaming system each time a new audio file + * is about to be streamed. + * + * \param shmid Identifies a serialized version of the audio file data. * \param afd Result pointer. * + * Attach the shared memory area and populate the fields of the audio file + * data structure from the contents of the area, allocating the necessary + * memory on the heap. Then detach the area. + * * \return Standard. */ int load_afd(int shmid, struct audio_file_data *afd) @@ -655,6 +658,7 @@ int load_afd(int shmid, struct audio_file_data *afd) ret = shm_size(shmid, &obj.size); if (ret < 0) goto detach; + assert(obj.size >= sizeof(*afd)); *afd = *(struct audio_file_data *)shm_afd; obj.data = shm_afd + sizeof(*afd); obj.size -= sizeof(*afd); -- 2.39.5