[tracker/wip/carlosg/bus-fixes: 1/2] libtracker-sparql/bus: Validate column offsets in bus cursors

[Carlos Garnacho <carlosg src gnome org>]

commit 82586315fd24977299aae81b092678f60e9c6ebd
Author: Carlos Garnacho <carlosg gnome org>
Date:   Tue Jul 19 18:54:00 2022 +0200

    libtracker-sparql/bus: Validate column offsets in bus cursors
    
    We use these to fetch the string values given in a row. Since this
    involves buffer allocations and direct access to the pointers
    described by these locations, ensure the values are sensible.
    
    Should fix newly reported Coverity issues.
    
    CID: #1518980

 src/libtracker-sparql/bus/tracker-bus-cursor.c | 36 ++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
---
diff --git a/src/libtracker-sparql/bus/tracker-bus-cursor.c b/src/libtracker-sparql/bus/tracker-bus-cursor.c
index 14e8afd13..66de6c875 100644
--- a/src/libtracker-sparql/bus/tracker-bus-cursor.c
+++ b/src/libtracker-sparql/bus/tracker-bus-cursor.c
@@ -181,6 +181,37 @@ tracker_bus_cursor_get_string (TrackerSparqlCursor *cursor,
        return str;
 }
 
+static gboolean
+validate_offsets (gint32  *offsets,
+                 gint     n_columns,
+                 GError **error)
+{
+       gint i;
+
+       for (i = 0; i < n_columns - 1; i++) {
+               gint32 cur = offsets[i];
+               gint32 next = offsets[i + 1];
+
+               if (cur < 0 || cur >= next)
+                       goto error;
+       }
+
+       /* Set a ridiculously high limit on the row size,
+        * but a limit nonetheless. We can store up to 1GB
+        * in a single column/row, so make room for 2GiB.
+        */
+       if (offsets[n_columns - 1] > 2 * 1000 * 1000 * 1000)
+               goto error;
+
+       return TRUE;
+ error:
+       g_set_error (error,
+                    G_IO_ERROR,
+                    G_IO_ERROR_INVALID_DATA,
+                    "Corrupted cursor data");
+       return FALSE;
+}
+
 static gboolean
 tracker_bus_cursor_next (TrackerSparqlCursor  *cursor,
                          GCancellable         *cancellable,
@@ -224,6 +255,11 @@ tracker_bus_cursor_next (TrackerSparqlCursor  *cursor,
                                      NULL, NULL, error))
                return FALSE;
 
+       if (!validate_offsets (offsets, n_columns, error)) {
+               g_free (offsets);
+               return FALSE;
+       }
+
        /* The last offset says how long we have to go to read
         * the whole row data.
         */