connection: Don't write past the end of the connection buffer

If a message was too big to fit in the connection buffer, the code in wl_buffer_put would just write past the end of it. I haven't seen any real world use case that would trigger this bug, but it was possible to trigger it by sending a long enough string to the wl_data_source.offer request. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=69267
2025-11-08 13:29:47 -05:00 · 2014-04-17 18:20:37 +03:00 · 2014-04-17 18:20:37 +03:00 · bfc93649cb
commit bfc93649cb
parent 5e2cfd2a0a
2 changed files with 54 additions and 8 deletions
--- a/tests/connection-test.c
+++ b/tests/connection-test.c
@ -235,6 +235,27 @@ expected_fail_marshal(int expected_error, const char *format, ...)
 	assert(errno == expected_error);
 }

+static void
+expected_fail_marshal_send(struct marshal_data *data, int expected_error,
+			   const char *format, ...)
+{
+	struct wl_closure *closure;
+	static const uint32_t opcode = 4444;
+	static struct wl_object sender = { NULL, NULL, 1234 };
+	struct wl_message message = { "test", format, NULL };
+	va_list ap;
+
+	va_start(ap, format);
+	closure = wl_closure_vmarshal(&sender, opcode, ap, &message);
+	va_end(ap);
+
+	assert(closure);
+	assert(wl_closure_send(closure, data->write_connection) < 0);
+	assert(errno == expected_error);
+
+	wl_closure_destroy(closure);
+}
+
 TEST(connection_marshal_nullables)
 {
 	struct marshal_data data;
@ -490,6 +511,22 @@ TEST(connection_marshal_alot)
 	release_marshal_data(&data);
 }

+TEST(connection_marshal_too_big)
+{
+	struct marshal_data data;
+	char *big_string = malloc(5000);
+
+	memset(big_string, ' ', 4999);
+	big_string[4999] = '\0';
+
+	setup_marshal_data(&data);
+
+	expected_fail_marshal_send(&data, E2BIG, "s", big_string);
+
+	release_marshal_data(&data);
+	free(big_string);
+}
+
 static void
 marshal_helper(const char *format, void *handler, ...)
 {