On Tue, 12 Mar 2019 23:11:03 +0000 Simon Ser <[email protected]> wrote:
> Hi, > > On Wednesday, March 6, 2019 12:58 PM, Pekka Paalanen <[email protected]> > wrote: > > From: Pekka Paalanen [email protected] > > > > The size argument to wl_connection_demarshal() is taken from the message by > > the > > caller wl_client_connection_data(), therefore 'size' is untrusted data > > controllable by a Wayland client. The size should always be at least the > > header > > size, otherwise the header is invalid. > > > > If the size is smaller than header size, it leads to reading past the end of > > allocated memory. Furthermore if size is zero, wl_closure_init() changes > > behaviour and leaves num_arrays uninitialized, leading to access of > > arbitrary > > memory. > > > > Check that 'size' fits at least the header. The space for arguments is > > already > > properly checked. > > > > This makes the request_bogus_size test free of errors under Valgrind. > > > > Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52 > > > > Signed-off-by: Pekka Paalanen [email protected] > > Both patches look good to me. I've also tested them with -fsanitize=address. > > Take this with a grain of salt since I'm not very familiar with libwayland's > demarshalling code, but this is: > > Reviewed-by: Simon Ser <[email protected]> Hi, I added your R-b and made a MR: https://gitlab.freedesktop.org/wayland/wayland/merge_requests/2 Thanks, pq
pgpLFo_HLOZLs.pgp
Description: OpenPGP digital signature
_______________________________________________ wayland-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/wayland-devel
