[glib/glib-2-56: 6/17] gvariant: Limit GVariant strings to G_MAXSSIZE
- From: Philip Withnall <pwithnall src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/glib-2-56: 6/17] gvariant: Limit GVariant strings to G_MAXSSIZE
- Date: Tue, 6 Nov 2018 13:12:40 +0000 (UTC)
commit 355c4b4176fe7f32c9bae5ac4ab7da16256a15a2
Author: Philip Withnall <withnall endlessm com>
Date: Tue Sep 18 13:29:18 2018 +0100
gvariant: Limit GVariant strings to G_MAXSSIZE
When validating a string to see if it’s valid UTF-8, we pass a gsize to
g_utf8_validate(), which only takes a gssize. For large gsize values,
this will result in the gssize actually being negative, which will
change g_utf8_validate()’s behaviour to stop at the first nul byte. That
would allow subsequent nul bytes through the string validator, against
its documented behaviour.
Add a test case.
oss-fuzz#10319
Signed-off-by: Philip Withnall <withnall endlessm com>
glib/gvariant-serialiser.c | 3 ++-
glib/tests/gvariant.c | 26 ++++++++++++++++++++++++++
2 files changed, 28 insertions(+), 1 deletion(-)
---
diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
index 643894919..bbdcc7a0c 100644
--- a/glib/gvariant-serialiser.c
+++ b/glib/gvariant-serialiser.c
@@ -1643,6 +1643,7 @@ g_variant_serialiser_is_string (gconstpointer data,
const gchar *expected_end;
const gchar *end;
+ /* Strings must end with a nul terminator. */
if (size == 0)
return FALSE;
@@ -1651,7 +1652,7 @@ g_variant_serialiser_is_string (gconstpointer data,
if (*expected_end != '\0')
return FALSE;
- g_utf8_validate (data, size, &end);
+ g_utf8_validate_len (data, size, &end);
return end == expected_end;
}
diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
index 4aba310ae..6e417f6c1 100644
--- a/glib/tests/gvariant.c
+++ b/glib/tests/gvariant.c
@@ -4833,6 +4833,30 @@ test_normal_checking_tuple_offsets (void)
g_variant_unref (variant);
}
+/* Test that an empty object path is normalised successfully to the base object
+ * path, ‘/’. */
+static void
+test_normal_checking_empty_object_path (void)
+{
+ const guint8 data[] = {
+ 0x20, 0x20, 0x00, 0x00, 0x00, 0x00,
+ '(', 'h', '(', 'a', 'i', 'a', 'b', 'i', 'o', ')', ')',
+ };
+ gsize size = sizeof (data);
+ GVariant *variant = NULL;
+ GVariant *normal_variant = NULL;
+
+ variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size,
+ FALSE, NULL, NULL);
+ g_assert_nonnull (variant);
+
+ normal_variant = g_variant_get_normal_form (variant);
+ g_assert_nonnull (normal_variant);
+
+ g_variant_unref (normal_variant);
+ g_variant_unref (variant);
+}
+
int
main (int argc, char **argv)
{
@@ -4905,6 +4929,8 @@ main (int argc, char **argv)
test_normal_checking_array_offsets);
g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
test_normal_checking_tuple_offsets);
+ g_test_add_func ("/gvariant/normal-checking/empty-object-path",
+ test_normal_checking_empty_object_path);
g_test_add_func ("/gvariant/recursion-limits/variant-in-variant",
test_recursion_limits_variant_in_variant);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]