From nobody Sat Apr 11 18:36:10 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775677259702837.9477367204461; Wed, 8 Apr 2026 12:40:59 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wAYdQ-0002go-0D; Wed, 08 Apr 2026 15:32:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wAYJO-00088t-US for qemu-devel@nongnu.org; Wed, 08 Apr 2026 15:11:39 -0400 Received: from mailgw.kylinos.cn ([124.126.103.232]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wAHeP-00056h-3P for qemu-devel@nongnu.org; Tue, 07 Apr 2026 21:24:17 -0400 Received: from localhost.localdomain [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 1573712403; Wed, 08 Apr 2026 09:23:56 +0800 X-UUID: 9ce9225c32e911f1aa26b74ffac11d73-20260408 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.12, REQID:232959a4-facd-47cb-91cd-aa8f8797d01a, IP:0, U RL:0,TC:0,Content:-5,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION :release,TS:-5 X-CID-META: VersionHash:e7bac3a, CLOUDID:1486a81185f24feb4d20892f30c03bf4, BulkI D:nil,BulkQuantity:0,Recheck:0,SF:102|850|898,TC:nil,Content:0|15|50,EDM:- 3,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,A V:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: 9ce9225c32e911f1aa26b74ffac11d73-20260408 X-User: yujun@kylinos.cn From: Jun Yu To: marcandre.lureau@redhat.com, odaki@rsg.ci.i.u-tokyo.ac.jp Cc: mark.caveayland@nutanix.com, philmd@linaro.org, thuth@redhat.com, qemu-devel@nongnu.org, Jun Yu Subject: [PATCH] audio/pipewire: Fix stack overflow by moving buffer to heap Date: Wed, 8 Apr 2026 09:23:41 +0800 Message-Id: <20260408012341.16131-1-yujun@kylinos.cn> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=124.126.103.232; envelope-from=yujun@kylinos.cn; helo=mailgw.kylinos.cn X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 08 Apr 2026 15:32:16 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1775677263448154100 Content-Type: text/plain; charset="utf-8" The PWVoice struct was allocating a large 4MB buffer on the stack using uint8_t buffer[RINGBUFFER_SIZE], which could cause stack overflow. This commit: 1. Changes the buffer from stack allocation to heap allocation by replacing uint8_t buffer[RINGBUFFER_SIZE] with uint8_t *buffer 2. Adds g_malloc() calls in qpw_init_out() and qpw_init_in() to allocate the buffer on the heap 3. Adds g_free() in qpw_voice_fini() to properly clean up the buffer 4. Adds error handling for allocation failures This fix prevents stack overflow while maintaining the same functionality, as each audio stream (input/output) still gets its own independent buffer for the ringbuffer operations. Signed-off-by: Jun Yu --- audio/pwaudio.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/audio/pwaudio.c b/audio/pwaudio.c index a59c22e60b..ff75ec2af2 100644 --- a/audio/pwaudio.c +++ b/audio/pwaudio.c @@ -56,7 +56,7 @@ typedef struct PWVoice { uint32_t highwater_mark; uint32_t frame_size, req; struct spa_ringbuffer ring; - uint8_t buffer[RINGBUFFER_SIZE]; + uint8_t *buffer; =20 pwvolume volume; bool muted; @@ -532,6 +532,12 @@ qpw_init_out(HWVoiceOut *hw, struct audsettings *as) AudiodevPipewirePerDirectionOptions *ppdo =3D popts->out; int r; =20 + v->buffer =3D g_malloc(RINGBUFFER_SIZE); + if (!v->buffer) { + error_report("pipewire: failed to allocate buffer"); + return -1; + } + pw_thread_loop_lock(c->thread_loop); =20 v->info.format =3D audfmt_to_pw(as->fmt, as->big_endian); @@ -551,6 +557,8 @@ qpw_init_out(HWVoiceOut *hw, struct audsettings *as) ppdo->name, SPA_DIRECTION_OUTPUT); if (r < 0) { pw_thread_loop_unlock(c->thread_loop); + g_free(v->buffer); + v->buffer =3D NULL; return -1; } =20 @@ -579,6 +587,12 @@ qpw_init_in(HWVoiceIn *hw, struct audsettings *as) AudiodevPipewirePerDirectionOptions *ppdo =3D popts->in; int r; =20 + v->buffer =3D g_malloc(RINGBUFFER_SIZE); + if (!v->buffer) { + error_report("pipewire: failed to allocate buffer"); + return -1; + } + pw_thread_loop_lock(c->thread_loop); =20 v->info.format =3D audfmt_to_pw(as->fmt, as->big_endian); @@ -595,6 +609,8 @@ qpw_init_in(HWVoiceIn *hw, struct audsettings *as) ppdo->name, SPA_DIRECTION_INPUT); if (r < 0) { pw_thread_loop_unlock(c->thread_loop); + g_free(v->buffer); + v->buffer =3D NULL; return -1; } =20 @@ -619,6 +635,8 @@ qpw_voice_fini(AudioPw *c, PWVoice *v) pw_stream_destroy(v->stream); v->stream =3D NULL; pw_thread_loop_unlock(c->thread_loop); + g_free(v->buffer); + v->buffer =3D NULL; } =20 static void --=20 2.25.1