`pw_properties_serialize_dict()` can cause stack buffer overflow
For example, running:
pactl load-module module-ladspa-sink plugin=asd label=xxxxxxx... (~10 million more)
could result in a stack overflow like the following:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==429313==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe66e53298 (pc 0x7f0c1e34fc77 bp 0x7ffe69653490 sp 0x7ffe66e532a0 T0)
#0 0x7f0c1e34fc77 in pw_properties_serialize_dict ../src/pipewire/properties.c:562
#1 0x7f0c17c384cf in module_ladspa_sink_load ../src/modules/module-protocol-pulse/modules/module-ladspa-sink.c:83
#2 0x7f0c17b7ad4c in module_load ../src/modules/module-protocol-pulse/module.c:74
#3 0x7f0c17bda486 in do_load_module ../src/modules/module-protocol-pulse/pulse-server.c:5067
#4 0x7f0c17c19730 in handle_packet ../src/modules/module-protocol-pulse/pulse-server.c:5430
#5 0x7f0c17c1a7d3 in do_read ../src/modules/module-protocol-pulse/pulse-server.c:5585
#6 0x7f0c17c1b3d8 in on_client_data ../src/modules/module-protocol-pulse/pulse-server.c:5611
#7 0x7f0c1923e456 in source_io_func ../spa/plugins/support/loop.c:321
#8 0x7f0c19244707 in loop_iterate ../spa/plugins/support/loop.c:309
#9 0x7f0c1e29f879 in pw_main_loop_run ../src/pipewire/main-loop.c:154
#10 0x560e3f66cadd in main ../src/daemon/pipewire.c:118
#11 0x7f0c1d2c3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#12 0x560e3f66c23d in _start (/home/pb/temp/src/pipewire/build/src/daemon/pipewire+0x323d)
SUMMARY: AddressSanitizer: stack-overflow ../src/pipewire/properties.c:562 in pw_properties_serialize_dict
==429313==ABORTING
due to a variable-length array in pw_properties_serialize_dict()
.
Edited by Barnabás Pőcze