Google Git
Sign in
chromium / external / anongit.freedesktop.org / git / wayland / wayland / bace3cd819798571189671b68590adff3fd40997
commitbace3cd819798571189671b68590adff3fd40997[log] [tgz]
authorPekka Paalanen <pekka.paalanen@collabora.com>Wed Mar 06 11:42:23 2019
committerPekka Paalanen <pekka.paalanen@collabora.com>Wed Mar 13 10:39:16 2019
tree039cfca495d742b269649c7fc13e03a7ed6f87e9
parent446047edf2da8b3ce899f28253f14dff18d9f4d7 [diff]
connection: fix demarshal of invalid header

The size argument to wl_connection_demarshal() is taken from the message by the
caller wl_client_connection_data(), therefore 'size' is untrusted data
controllable by a Wayland client. The size should always be at least the header
size, otherwise the header is invalid.

If the size is smaller than header size, it leads to reading past the end of
allocated memory. Furthermore if size is zero, wl_closure_init() changes
behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
memory.

Check that 'size' fits at least the header. The space for arguments is already
properly checked.

This makes the request_bogus_size test free of errors under Valgrind.

Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
2 files changed
tree: 039cfca495d742b269649c7fc13e03a7ed6f87e9
  1. cursor/
  2. doc/
  3. egl/
  4. m4/
  5. protocol/
  6. src/
  7. tests/
  8. .gitignore
  9. .gitlab-ci.yml
  10. autogen.sh
  11. configure.ac
  12. CONTRIBUTING.md
  13. COPYING
  14. Makefile.am
  15. publish-doc
  16. README
  17. TODO
  18. wayland-scanner.m4
  19. wayland-scanner.mk