From 78743cca7b28345920b788c3827c960e9afc3e64 Mon Sep 17 00:00:00 2001 From: Donat Zenichev Date: Wed, 24 Jun 2026 18:23:07 +0200 Subject: [PATCH] MT#61856 media_socket: `extmap_short_is_valid_data()` no 0 len Currently the helper accepts 0 length, but callers actually can try to mutate it with `- 1` what means overflowing it. e.g. `extmap_short_is_valid_data()` has a bitwise operation including length `(id << 4) | (ext->len - 1)` Change-Id: I74f7fa134355059b18ba8c2b4e671c735324bdb7 (cherry picked from commit a51332f675f9505cc7f3735017d0eb86386319a0) (cherry picked from commit ae97b50b98dc56f39f959da3ee9fe0eba2aac877) --- daemon/media_socket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/daemon/media_socket.c b/daemon/media_socket.c index 00f77eb4e..5f9aae4b2 100644 --- a/daemon/media_socket.c +++ b/daemon/media_socket.c @@ -2298,6 +2298,8 @@ static bool extmap_short_is_valid_data(unsigned int id, size_t len) { // valid ranges for short form? if (id <= 0 || id >= 15) return false; + if (len == 0) + return false; if (len > 16) return false; return true;