[gnome-session] main: fix heap overflow in dbus-launch wrapping



commit 7ee3571c79ea202a8309f64f3cb235119178d080
Author: Hanno Boeck <hanno hboeck de>
Date:   Mon Jul 11 10:37:03 2016 -0400

    main: fix heap overflow in dbus-launch wrapping
    
    I have discovered a heap overflow with the help of an address sanitizer.
    
    The require_dbus_session() function has this code:
    
            new_argv = g_malloc (argc + 3 * sizeof (*argv));
    
    The intention is to allocate space for (argc + 3) pointers. However obviously a
    parenthesis is missing, therefore only argc bytes + 3 * pointer size gets
    allocated, which is insufficient space. This leads to invalid memory writes.
    
    The fix is trivial: Parentheses around argc + 3.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=768441

 gnome-session/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/gnome-session/main.c b/gnome-session/main.c
index 3dd6529..4f5b7f5 100644
--- a/gnome-session/main.c
+++ b/gnome-session/main.c
@@ -189,7 +189,7 @@ require_dbus_session (int      argc,
                               TRUE);
 
         /* +2 for our new arguments, +1 for NULL */
-        new_argv = g_malloc (argc + 3 * sizeof (*argv));
+        new_argv = g_malloc ((argc + 3) * sizeof (*argv));
 
         new_argv[0] = "dbus-launch";
         new_argv[1] = "--exit-with-session";


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]