From 437a63d7d417e3392a8657efa36755280c46de59 Mon Sep 17 00:00:00 2001 From: Alex P Date: Tue, 18 Nov 2025 01:22:15 +0200 Subject: [PATCH] Add bounds check for Opus packets in Go layer Validate packet size <= 1500 bytes before passing to C code to provide defense-in-depth alongside existing C-layer validation. --- internal/audio/cgo_source.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/audio/cgo_source.go b/internal/audio/cgo_source.go index 24bf854b..02cb259f 100644 --- a/internal/audio/cgo_source.go +++ b/internal/audio/cgo_source.go @@ -214,6 +214,10 @@ func (c *CgoSource) WriteMessage(msgType uint8, payload []byte) error { return nil } + if len(payload) > 1500 { + return fmt.Errorf("opus packet too large: %d bytes (max 1500)", len(payload)) + } + rc := C.jetkvm_audio_decode_write(unsafe.Pointer(&payload[0]), C.int(len(payload))) if rc < 0 { return fmt.Errorf("jetkvm_audio_decode_write failed: %d", rc)