luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-10-25 14:32:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

gvariant: Fix bounds checking in GVariant text format parser

Browse Source 
The token_stream_peek() functions were not doing any bounds checking, so
could potentially read 1 byte off the end of the input blob. This was
never noticed, since the input stream is almost always a nul-terminated
string. However, g_variant_parse() does allow non-nul-terminated strings
to be used with a @limit parameter, and the bugs become apparent under
valgrind if that parameter is used.

This includes modifications to the test cases to cover the
non-nul-terminated case.

Spotted by ossfuzz.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
This commit is contained in:
Philip Withnall
2018-08-09 01:00:20 +01:00
parent 291bb0c584
commit 10ee7301e8
2 changed files with 44 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
glib/gvariant-parser.c
View File

@@ -260,6 +260,9 @@ token_stream_prepare (TokenStream *stream)
stream->this = stream->stream;
stream->stream = end;
/* We must have at least one byte in a token. */
g_assert (stream->stream - stream->this >= 1);
return TRUE;
}
@@ -276,7 +279,8 @@ token_stream_peek (TokenStream *stream,
if (!token_stream_prepare (stream))
return FALSE;
return stream->this[0] == first_char;
return stream->stream - stream->this >= 1 &&
stream->this[0] == first_char;
}
static gboolean
@@ -287,7 +291,8 @@ token_stream_peek2 (TokenStream *stream,
if (!token_stream_prepare (stream))
return FALSE;
return stream->this[0] == first_char &&
return stream->stream - stream->this >= 2 &&
stream->this[0] == first_char &&
stream->this[1] == second_char;
}
@@ -297,7 +302,8 @@ token_stream_is_keyword (TokenStream *stream)
if (!token_stream_prepare (stream))
return FALSE;
return g_ascii_isalpha (stream->this[0]) &&
return stream->stream - stream->this >= 2 &&
g_ascii_isalpha (stream->this[0]) &&
g_ascii_isalpha (stream->this[1]);
}
@@ -307,10 +313,11 @@ token_stream_is_numeric (TokenStream *stream)
if (!token_stream_prepare (stream))
return FALSE;
return (g_ascii_isdigit (stream->this[0]) ||
stream->this[0] == '-' ||
stream->this[0] == '+' ||
stream->this[0] == '.');
return (stream->stream - stream->this >= 1 &&
(g_ascii_isdigit (stream->this[0]) ||
stream->this[0] == '-' ||
stream->this[0] == '+' ||
stream->this[0] == '.'));
}
static gboolean