Skip to content
Commit bace3cd8 authored by Pekka Paalanen's avatar Pekka Paalanen
Browse files

connection: fix demarshal of invalid header 

The size argument to wl_connection_demarshal() is taken from the message by the
caller wl_client_connection_data(), therefore 'size' is untrusted data
controllable by a Wayland client. The size should always be at least the header
size, otherwise the header is invalid.

If the size is smaller than header size, it leads to reading past the end of
allocated memory. Furthermore if size is zero, wl_closure_init() changes
behaviour and leaves num_arrays uninitialized, leading to access of arbitrary
memory.

Check that 'size' fits at least the header. The space for arguments is already
properly checked.

This makes the request_bogus_size test free of errors under Valgrind.

Fixes: https://gitlab.freedesktop.org/wayland/wayland/issues/52



Signed-off-by: default avatarPekka Paalanen <pekka.paalanen@collabora.com>
Reviewed-by: default avatarSimon Ser <contact@emersion.fr>
parent 446047ed
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment