• Pekka Paalanen's avatar
    connection: fix demarshal of invalid header · bace3cd8
    Pekka Paalanen authored
    The size argument to wl_connection_demarshal() is taken from the message by the
    caller wl_client_connection_data(), therefore 'size' is untrusted data
    controllable by a Wayland client. The size should always be at least the header
    size, otherwise the header is invalid.
    
    If the size is smaller than header size, it leads to reading past the end of
    allocated memory. Furthermore if size is zero, wl_closure_init() changes
    behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
    memory.
    
    Check that 'size' fits at least the header. The space for arguments is already
    properly checked.
    
    This makes the request_bogus_size test free of errors under Valgrind.
    
    Fixes: wayland/wayland#52Signed-off-by: Pekka Paalanen's avatarPekka Paalanen <pekka.paalanen@collabora.com>
    Reviewed-by: Simon Ser's avatarSimon Ser <contact@emersion.fr>
    bace3cd8
Name
Last commit
Last update
cursor Loading commit data...
doc Loading commit data...
egl Loading commit data...
m4 Loading commit data...
protocol Loading commit data...
src Loading commit data...
tests Loading commit data...
.gitignore Loading commit data...
.gitlab-ci.yml Loading commit data...
CONTRIBUTING.md Loading commit data...
COPYING Loading commit data...
Makefile.am Loading commit data...
README Loading commit data...
TODO Loading commit data...
autogen.sh Loading commit data...
configure.ac Loading commit data...
publish-doc Loading commit data...
wayland-scanner.m4 Loading commit data...
wayland-scanner.mk Loading commit data...