[gvfs/gnome-3-8] metadata: Fix short journal check

From: Alexander Larsson <alexl src gnome org>
To: commits-list gnome org
Cc:
Subject: [gvfs/gnome-3-8] metadata: Fix short journal check
Date: Fri, 14 Jun 2013 10:02:13 +0000 (UTC)

commit 717322e53a14f6d0ea59e0de1cafb4a94e71a1c2
Author: Alexander Larsson <alexl redhat com>
Date:   Fri Jun 14 10:55:21 2013 +0200

    metadata: Fix short journal check
    
    This was reading the size in the wrong place *sizep, not *(sizep-1),
    plus the out of bounds checks were wrong.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=637095
    (cherry picked from commit 5a4f9e6a366e40a6967ff1569c7c2eaaabd5c4a1)
    
    Conflicts:
        metadata/metatree.c

 metadata/metatree.c |   15 ++++++++++-----
 1 files changed, 10 insertions(+), 5 deletions(-)
---
diff --git a/metadata/metatree.c b/metadata/metatree.c
index 6aef33c..7e456d3 100644
--- a/metadata/metatree.c
+++ b/metadata/metatree.c
@@ -1205,7 +1205,7 @@ meta_journal_iterate (MetaJournal *journal,
                      gpointer user_data)
 {
   MetaJournalEntry *entry;
-  guint32 *sizep;
+  guint32 *sizep, size;
   char *journal_path, *journal_key, *source_path;
   char *path_copy, *value;
   gboolean res;
@@ -1220,8 +1220,11 @@ meta_journal_iterate (MetaJournal *journal,
   while (entry > journal->first_entry)
     {
       sizep = (guint32 *)entry;
-      entry = (MetaJournalEntry *)((char *)entry - GUINT32_FROM_BE (*(sizep-1)));
-      if (GUINT32_FROM_BE (*(sizep)) < sizeof (MetaJournalEntry) && entry > journal->first_entry)
+      size = GUINT32_FROM_BE (*(sizep-1));
+      entry = (MetaJournalEntry *)((char *)entry - size);
+      if (size < sizeof (MetaJournalEntry) ||
+         entry < journal->first_entry ||
+         entry >= journal->last_entry)
         {
           g_warning ("meta_journal_iterate: found short sized entry, possible journal corruption\n");
           break;
@@ -2265,11 +2268,13 @@ apply_journal_to_builder (MetaTree *tree,
 
       sizep = (guint32 *)entry;
       entry = (MetaJournalEntry *)((char *)entry + GUINT32_FROM_BE (*(sizep)));
-      if (GUINT32_FROM_BE (*(sizep)) < sizeof (MetaJournalEntry) && entry < journal->last_entry)
+      if (GUINT32_FROM_BE (*(sizep)) < sizeof (MetaJournalEntry) ||
+         entry < journal->first_entry ||
+         entry > journal->last_entry)
         {
           /* This shouldn't happen, we found an entry that is shorter than its data */
           /* See https://bugzilla.gnome.org/show_bug.cgi?id=637095 for discussion */
-          g_warning ("apply_journal_to_builder: found short sized entry, possible journal corruption\n");
+          g_warning ("apply_journal_to_builder: found wrong sized entry, possible journal corruption\n");
           break;
         }
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]