Merge branch 'dbus-1.6'

Conflicts:
	NEWS
	configure.ac

NEWS

 D-Bus 1.7.4 (UNRELEASED)
 ==
 
+Security fixes:
+
+• CVE-2013-2168: Fix misuse of va_list that could be used as a denial
+  of service for system services. Vulnerability reported by Alexandru Cornea.
+  (Simon)
+
 Dependencies:
 
 • The Windows version of libdbus now contains a C++ source file, used
@@ -21,7 +27,7 @@ Enhancements:
 • Improve dbus-send documentation and command-line parsing (fd.o #65424,
   Chengwei Yang)
 
-Fixes:
+Other fixes:
 
 • In dbus-daemon, don't crash if a .service file starts with key=value
   (fd.o #60853, Chengwei Yang)

dbus/dbus-sysdeps-unix.c

@@ -3135,8 +3135,11 @@ _dbus_printf_string_upper_bound (const char *format,
   char static_buf[1024];
   int bufsize = sizeof (static_buf);
   int len;
+  va_list args_copy;
 
-  len = vsnprintf (static_buf, bufsize, format, args);
+  DBUS_VA_COPY (args_copy, args);
+  len = vsnprintf (static_buf, bufsize, format, args_copy);
+  va_end (args_copy);
 
   /* If vsnprintf() returned non-negative, then either the string fits in
    * static_buf, or this OS has the POSIX and C99 behaviour where vsnprintf
@@ -3152,8 +3155,12 @@ _dbus_printf_string_upper_bound (const char *format,
        * or the real length could be coincidentally the same. Which is it?
        * If vsnprintf returns the truncated length, we'll go to the slow
        * path. */
-      if (vsnprintf (static_buf, 1, format, args) == 1)
+      DBUS_VA_COPY (args_copy, args);
+
+      if (vsnprintf (static_buf, 1, format, args_copy) == 1)
         len = -1;
+
+      va_end (args_copy);
     }
 
   /* If vsnprintf() returned negative, we have to do more work.
@@ -3169,7 +3176,10 @@ _dbus_printf_string_upper_bound (const char *format,
       if (buf == NULL)
         return -1;
 
-      len = vsnprintf (buf, bufsize, format, args);
+      DBUS_VA_COPY (args_copy, args);
+      len = vsnprintf (buf, bufsize, format, args_copy);
+      va_end (args_copy);
+
       dbus_free (buf);
 
       /* If the reported length is exactly the buffer size, round up to the

dbus/dbus-sysdeps-win.c

@@ -626,9 +626,12 @@ int _dbus_printf_string_upper_bound (const char *format,
   char buf[1024];
   int bufsize;
   int len;
+  va_list args_copy;
 
   bufsize = sizeof (buf);
-  len = _vsnprintf (buf, bufsize - 1, format, args);
+  DBUS_VA_COPY (args_copy, args);
+  len = _vsnprintf (buf, bufsize - 1, format, args_copy);
+  va_end (args_copy);
 
   while (len == -1) /* try again */
     {
@@ -641,7 +644,9 @@ int _dbus_printf_string_upper_bound (const char *format,
       if (p == NULL)
         return -1;
 
-      len = _vsnprintf (p, bufsize - 1, format, args);
+      DBUS_VA_COPY (args_copy, args);
+      len = _vsnprintf (p, bufsize - 1, format, args_copy);
+      va_end (args_copy);
       free (p);
     }
 

test/Makefile.am

@@ -81,6 +81,10 @@ shell_test_LDADD = libdbus-testutils.la
 spawn_test_CPPFLAGS = $(static_cppflags)
 spawn_test_LDADD = $(top_builddir)/dbus/libdbus-internal.la
 
+test_printf_SOURCES = internals/printf.c
+test_printf_CPPFLAGS = $(static_cppflags)
+test_printf_LDADD = $(top_builddir)/dbus/libdbus-internal.la
+
 test_refs_SOURCES = internals/refs.c
 test_refs_CPPFLAGS = $(static_cppflags)
 test_refs_LDADD = libdbus-testutils.la $(GLIB_LIBS)
@@ -97,6 +101,7 @@ testexec_PROGRAMS =
 
 installable_tests = \
 	shell-test \
+	test-printf \
 	$(NULL)
 
 if DBUS_WITH_GLIB

test/internals/printf.c

+/* Regression test for _dbus_printf_string_upper_bound
+ *
+ * Author: Simon McVittie <simon.mcvittie@collabora.co.uk>
+ * Copyright © 2013 Intel Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation files
+ * (the "Software"), to deal in the Software without restriction,
+ * including without limitation the rights to use, copy, modify, merge,
+ * publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#define DBUS_COMPILATION    /* this test uses libdbus-internal */
+#include <dbus/dbus.h>
+#include <dbus/dbus-internals.h>
+#include <dbus/dbus-string.h>
+#include "test-utils.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+static void
+do_test (int minimum,
+    const char *format,
+    ...)
+{
+  va_list ap;
+  int result;
+
+  va_start (ap, format);
+  result = _dbus_printf_string_upper_bound (format, ap);
+  va_end (ap);
+
+  if (result < minimum)
+    {
+      fprintf (stderr, "expected at least %d, got %d\n", minimum, result);
+      abort ();
+    }
+}
+
+#define X_TIMES_8 "XXXXXXXX"
+#define X_TIMES_16   X_TIMES_8   X_TIMES_8
+#define X_TIMES_32   X_TIMES_16  X_TIMES_16
+#define X_TIMES_64   X_TIMES_32  X_TIMES_32
+#define X_TIMES_128  X_TIMES_64  X_TIMES_64
+#define X_TIMES_256  X_TIMES_128 X_TIMES_128
+#define X_TIMES_512  X_TIMES_256 X_TIMES_256
+#define X_TIMES_1024 X_TIMES_512 X_TIMES_512
+
+int
+main (int argc,
+    char **argv)
+{
+  char buf[] = X_TIMES_1024 X_TIMES_1024 X_TIMES_1024 X_TIMES_1024;
+  int i;
+
+  do_test (1, "%d", 0);
+  do_test (7, "%d", 1234567);
+  do_test (3, "%f", 3.5);
+
+  do_test (0, "%s", "");
+  do_test (1024, "%s", X_TIMES_1024);
+  do_test (1025, "%s", X_TIMES_1024 "Y");
+
+  for (i = 4096; i > 0; i--)
+    {
+      buf[i] = '\0';
+      do_test (i, "%s", buf);
+      do_test (i + 3, "%s:%d", buf, 42);
+    }
+
+  return 0;
+}