[glib: 1/2] gvariant: Fix more bounds checking in GVariant text format parser

From: Philip Withnall <pwithnall src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib: 1/2] gvariant: Fix more bounds checking in GVariant text format parser
Date: Mon, 27 Aug 2018 10:14:47 +0000 (UTC)

commit a9108f8bfd26da9d5054cce56c5dcd9292181240
Author: Philip Withnall <withnall endlessm com>
Date:   Fri Aug 10 10:28:06 2018 +0100

    gvariant: Fix more bounds checking in GVariant text format parser
    
    token_stream_prepare() was over-reading at the start of bytestring
    literals (`b'blah'`).
    
    Add tests for that, and for some other situations regarding bytestring
    literal parsing, in order to try and get full branch coverage of that
    bit of code.
    
    oss-fuzz#9805
    
    Signed-off-by: Philip Withnall <withnall endlessm com>

 glib/gvariant-parser.c |  3 ++-
 glib/tests/gvariant.c  | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
---
diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
index 233a19f7c..335c71425 100644
--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
@@ -197,7 +197,8 @@ token_stream_prepare (TokenStream *stream)
       break;
 
     case 'b':
-      if (stream->stream[1] == '\'' || stream->stream[1] == '"')
+      if (stream->stream + 1 != stream->end &&
+          (stream->stream[1] == '\'' || stream->stream[1] == '"'))
         {
           for (end = stream->stream + 2; end != stream->end; end++)
             if (*end == stream->stream[1] || *end == '\0' ||
diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
index 5aac3de53..de8e42d0b 100644
--- a/glib/tests/gvariant.c
+++ b/glib/tests/gvariant.c
@@ -3892,6 +3892,17 @@ test_parse_failures (void)
     "string 4",                 "7-8:",            "can not parse as",
     "\x0a",                     "1:",              "expected value",
     "((",                       "2:",              "expected value",
+    "(b",                       "1:",              "expected value",
+    "b'",                       "0-2:",            "unterminated string constant",
+    "b\"",                      "0-2:",            "unterminated string constant",
+    "b'a",                      "0-3:",            "unterminated string constant",
+    "b\"a",                     "0-3:",            "unterminated string constant",
+    "b'\\",                     "0-3:",            "unterminated string constant",
+    "b\"\\",                    "0-3:",            "unterminated string constant",
+    "b'\\'",                    "0-4:",            "unterminated string constant",
+    "b\"\\\"",                  "0-4:",            "unterminated string constant",
+    "b'\\'a",                   "0-5:",            "unterminated string constant",
+    "b\"\\\"a",                 "0-5:",            "unterminated string constant",
   };
   gint i;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]