[glib] gdbus: fix out-of-bound array access

From: Marc-Andre Lureau <malureau src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib] gdbus: fix out-of-bound array access
Date: Tue, 21 Apr 2015 20:55:30 +0000 (UTC)

commit 41acf970accd25c4446e8f28c0b817e332722c23
Author: Marc-André Lureau <marcandre lureau gmail com>
Date:   Fri Mar 6 15:22:33 2015 +0100

    gdbus: fix out-of-bound array access
    
    In path_rule_matches(), the given paths may be of 0-length. Do not
    access memory before the array in those case. This is for example
    triggered by:
    
    test_match_rule (con, G_DBUS_SIGNAL_FLAGS_MATCH_ARG0_PATH, "/", "", FALSE);
    
    in test_connection_signal_match_rules().
    
    This bug was found thanks to GCC AddressSanitizer.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=745745

 gio/gdbusconnection.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index 9ebf6d2..4465562 100644
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -3703,10 +3703,10 @@ path_rule_matches (const gchar *path_a,
   len_a = strlen (path_a);
   len_b = strlen (path_b);
 
-  if (len_a < len_b && path_a[len_a - 1] != '/')
+  if (len_a < len_b && (len_a == 0 || path_a[len_a - 1] != '/'))
     return FALSE;
 
-  if (len_b < len_a && path_b[len_b - 1] != '/')
+  if (len_b < len_a && (len_b == 0 || path_b[len_b - 1] != '/'))
     return FALSE;
 
   return memcmp (path_a, path_b, MIN (len_a, len_b)) == 0;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]