mirror of
https://gitlab.freedesktop.org/wayland/wayland.git
synced 2026-02-08 10:06:40 -05:00
bace3cd819
The size argument to wl_connection_demarshal() is taken from the message by the caller wl_client_connection_data(), therefore 'size' is untrusted data controllable by a Wayland client. The size should always be at least the header size, otherwise the header is invalid. If the size is smaller than header size, it leads to reading past the end of allocated memory. Furthermore if size is zero, wl_closure_init() changes behaviour and leaves num_arrays uninitialized, leading to access of arbitrary memory. Check that 'size' fits at least the header. The space for arguments is already properly checked. This makes the request_bogus_size test free of errors under Valgrind. Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52 Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com> Reviewed-by: Simon Ser <contact@emersion.fr> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| connection.c | ||
| dtddata.S | ||
| event-loop.c | ||
| scanner.c | ||
| wayland-client-core.h | ||
| wayland-client-uninstalled.pc.in | ||
| wayland-client.c | ||
| wayland-client.h | ||
| wayland-client.pc.in | ||
| wayland-os.c | ||
| wayland-os.h | ||
| wayland-private.h | ||
| wayland-scanner-uninstalled.pc.in | ||
| wayland-scanner.pc.in | ||
| wayland-server-core.h | ||
| wayland-server-uninstalled.pc.in | ||
| wayland-server.c | ||
| wayland-server.h | ||
| wayland-server.pc.in | ||
| wayland-shm.c | ||
| wayland-util.c | ||
| wayland-util.h | ||
| wayland-version.h.in | ||