gvariant: Fix bounds checking in GVariant text format parser10ee7301e8edb13e59143ee5653cd2b46e26c044236/head
| commit | 10ee7301e8edb13e59143ee5653cd2b46e26c044 | |
| author | Philip Withnall <withnall@endlessm.com> | |
| Thu, 9 Aug 2018 00:00:20 +0000 (9 01:00 +0100) | ||
| committer | Philip Withnall <withnall@endlessm.com> | |
| Thu, 9 Aug 2018 00:08:46 +0000 (9 01:08 +0100) | ||
| tree | dc5a4c39eaedf165a97631ec5da0fb7c5ec5da19 | treesnapshot (tar.gz zip) |
| parent | 291bb0c584118f37ad40261179980b513dff8bb9 | commitdiff |
gvariant: Fix bounds checking in GVariant text format parser
The token_stream_peek() functions were not doing any bounds checking, so
could potentially read 1 byte off the end of the input blob. This was
never noticed, since the input stream is almost always a nul-terminated
string. However, g_variant_parse() does allow non-nul-terminated strings
to be used with a @limit parameter, and the bugs become apparent under
valgrind if that parameter is used.
This includes modifications to the test cases to cover the
non-nul-terminated case.
Spotted by ossfuzz.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
The token_stream_peek() functions were not doing any bounds checking, so
could potentially read 1 byte off the end of the input blob. This was
never noticed, since the input stream is almost always a nul-terminated
string. However, g_variant_parse() does allow non-nul-terminated strings
to be used with a @limit parameter, and the bugs become apparent under
valgrind if that parameter is used.
This includes modifications to the test cases to cover the
non-nul-terminated case.
Spotted by ossfuzz.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
| glib/gvariant-parser.c | diffblobblamehistory | |
| glib/tests/gvariant.c | diffblobblamehistory |