From 33304ba1181bde267c8a54f6587778fe0cfd28b6 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 23 May 2007 16:59:03 +0000
Subject: Fix a DoS with allocating overly large silence buffers. (Identified
 by Luigi Auriemma (re #67)

git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1450 fefdeb5f-60dc-0310-8127-8f9354f1896f
---
 src/pulsecore/sample-util.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/pulsecore/sample-util.c')

diff --git a/src/pulsecore/sample-util.c b/src/pulsecore/sample-util.c
index 411787af..c8e7acf0 100644
--- a/src/pulsecore/sample-util.c
+++ b/src/pulsecore/sample-util.c
@@ -38,13 +38,25 @@
 #include "sample-util.h"
 #include "endianmacros.h"
 
+#define PA_SILENCE_MAX (1024*1024*1)
+
 pa_memblock *pa_silence_memblock_new(pa_mempool *pool, const pa_sample_spec *spec, size_t length) {
+    size_t fs;
     assert(pool);
     assert(spec);
 
     if (length == 0)
         length = pa_bytes_per_second(spec)/20; /* 50 ms */
 
+    if (length > PA_SILENCE_MAX)
+        length = PA_SILENCE_MAX;
+
+    fs = pa_frame_size(spec);
+    length = ((PA_SILENCE_MAX+fs-1) / fs) * fs;
+
+    if (length <= 0)
+        length = fs;
+    
     return pa_silence_memblock(pa_memblock_new(pool, length), spec);
 }
 
-- 
cgit