[tracker/wip/carlosg/more-bus-fixes: 3/4] libtracker-sparql/bus: Shuffle cursor row offsets maximum size checks

From: Carlos Garnacho <carlosg src gnome org>
To: commits-list gnome org
Cc:
Subject: [tracker/wip/carlosg/more-bus-fixes: 3/4] libtracker-sparql/bus: Shuffle cursor row offsets maximum size checks
Date: Sat, 23 Jul 2022 18:42:47 +0000 (UTC)


commit 90eff3ed1de746536a7fef4d0275f95b3ab74ae6
Author: Carlos Garnacho <carlosg gnome org>
Date:   Sat Jul 23 19:41:43 2022 +0200

    libtracker-sparql/bus: Shuffle cursor row offsets maximum size checks
    
    Delegating the offsets array sanity to a function does not seem to
    appease Coverity, so ensure this happens before using the last offset
    for row data allocation in TrackerSparqlCursor's next() implementation.

 src/libtracker-sparql/bus/tracker-bus-cursor.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)
---
diff --git a/src/libtracker-sparql/bus/tracker-bus-cursor.c b/src/libtracker-sparql/bus/tracker-bus-cursor.c
index 0e50a17ac..cdb1a02a4 100644
--- a/src/libtracker-sparql/bus/tracker-bus-cursor.c
+++ b/src/libtracker-sparql/bus/tracker-bus-cursor.c
@@ -196,13 +196,6 @@ validate_offsets (gint32  *offsets,
                        goto error;
        }
 
-       /* Set a ridiculously high limit on the row size,
-        * but a limit nonetheless. We can store up to 1GB
-        * in a single column/row, so make room for 2GiB.
-        */
-       if (offsets[n_columns - 1] > 2 * 1000 * 1000 * 1000)
-               goto error;
-
        return TRUE;
  error:
        g_set_error (error,
@@ -262,6 +255,19 @@ tracker_bus_cursor_next (TrackerSparqlCursor  *cursor,
                return FALSE;
        }
 
+       /* Set a ridiculously high limit on the row size,
+        * but a limit nonetheless. We can store up to 1GB
+        * in a single column/row, so make room for 2GiB.
+        */
+       if (offsets[n_columns - 1] > 2 * 1000 * 1000 * 1000) {
+               g_set_error (error,
+                            G_IO_ERROR,
+                            G_IO_ERROR_INVALID_DATA,
+                            "Corrupted cursor data");
+               g_free (offsets);
+               return FALSE;
+       }
+
        /* The last offset says how long we have to go to read
         * the whole row data.
         */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]