Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
glib2.11799
0001-gvariant-Fix-checking-arithmetic-for-tuple...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-gvariant-Fix-checking-arithmetic-for-tuple-element-e.patch of Package glib2.11799
From 7ec1e7e7c8e085454927bb102faaad0c74cf5966 Mon Sep 17 00:00:00 2001 From: Philip Withnall <withnall@endlessm.com> Date: Thu, 16 Aug 2018 20:12:02 +0100 Subject: [PATCH 01/15] gvariant: Fix checking arithmetic for tuple element ends MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When checking whether a serialised GVariant tuple is in normal form, it’s possible for `offset_ptr -= offset_size` to underflow and wrap around, resulting in gvs_read_unaligned_le() reading memory outside the serialised GVariant bounds. See §(Tuples) in gvariant-serialiser.c for the documentation on how tuples are serialised. Briefly, all variable-length elements in the tuple have an offset to their end stored in an array of offsets at the end of the tuple. The width of each offset is in offset_size. offset_ptr is added to the start of the serialised tuple to get the offset which is currently being examined. The offset array is in reverse order compared to the tuple elements, hence the subtraction. The bug can be triggered if a tuple contains a load of variable-length elements, each of whose length is actually zero (i.e. empty arrays). Includes a unit test. oss-fuzz#9801 Signed-off-by: Philip Withnall <withnall@endlessm.com> --- glib/gvariant-serialiser.c | 3 +++ glib/tests/gvariant.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c index 69f183121..96df54e23 100644 --- a/glib/gvariant-serialiser.c +++ b/glib/gvariant-serialiser.c @@ -1065,6 +1065,9 @@ gvs_tuple_is_normal (GVariantSerialised value) break; case G_VARIANT_MEMBER_ENDING_OFFSET: + if (offset_ptr < offset_size) + return FALSE; + offset_ptr -= offset_size; if (offset_ptr < offset) diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c index de8e42d0b..a5095a380 100644 --- a/glib/tests/gvariant.c +++ b/glib/tests/gvariant.c @@ -4631,6 +4631,30 @@ test_stack_dict_init (void) g_variant_unref (variant); } +/* Test checking arbitrary binary data for normal form. This time, it’s a tuple + * with invalid element ends. */ +static void +test_normal_checking_tuples (void) +{ + const guint8 data[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, + 'a', '(', 'a', 'o', 'a', 'o', 'a', 'a', 'o', 'a', 'a', 'o', ')' + }; + gsize size = sizeof (data); + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + + variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size, + FALSE, NULL, NULL); + g_assert_nonnull (variant); + + normal_variant = g_variant_get_normal_form (variant); + g_assert_nonnull (normal_variant); + + g_variant_unref (normal_variant); + g_variant_unref (variant); +} + int main (int argc, char **argv) { @@ -4692,5 +4716,9 @@ main (int argc, char **argv) g_test_add_func ("/gvariant/stack-builder-init", test_stack_builder_init); g_test_add_func ("/gvariant/stack-dict-init", test_stack_dict_init); + + g_test_add_func ("/gvariant/normal-checking/tuples", + test_normal_checking_tuples); + return g_test_run (); } -- 2.14.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor