luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-01-27 06:26:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'security-fixes-main' into 'main'

Browse Source 
gdbusmessage, gvariant and garray fixes

Closes #2557, #2572, and #2578

See merge request GNOME/glib!2454
This commit is contained in:
Philip Withnall 2022-01-26 13:39:37 +00:00
commit 34bd3fc5cc
4 changed files with 125 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
gio/gdbusmessage.c
View File

@ -1839,6 +1839,16 @@ parse_value_from_blob (GMemoryBuffer *buf,
}
g_variant_builder_add_value (&builder, item);
g_variant_unref (item);
/* Array elements must not be zero-length. There are no
* valid zero-length serialisations of any types which
* can be array elements in the D-Bus wire format, so this
* assertion should always hold.
*
* See https://gitlab.gnome.org/GNOME/glib/-/issues/2557
*/
g_assert (buf->pos > (gsize) offset);
offset = buf->pos;
}
}
@ -1907,6 +1917,16 @@ parse_value_from_blob (GMemoryBuffer *buf,
g_variant_builder_init (&builder, type);
element_type = g_variant_type_first (type);
if (!element_type)
{
g_variant_builder_clear (&builder);
g_set_error_literal (&local_error,
G_IO_ERROR,
G_IO_ERROR_INVALID_ARGUMENT,
_("Empty structures (tuples) are not allowed in D-Bus"));
goto fail;
}
while (element_type != NULL)
{
GVariant *item;
@ -2617,6 +2637,15 @@ append_value_to_blob (GVariant *value,
default:
if (g_variant_type_is_dict_entry (type) || g_variant_type_is_tuple (type))
{
if (!g_variant_type_first (type))
{
g_set_error_literal (error,
G_IO_ERROR,
G_IO_ERROR_INVALID_ARGUMENT,
_("Empty structures (tuples) are not allowed in D-Bus"));
goto fail;
}
padding_added = ensure_output_padding (mbuf, 8);
if (value != NULL)
{

88
gio/tests/gdbus-serialization.c
View File

@ -1529,6 +1529,90 @@ test_message_parse_truncated (void)
g_free (blob);
}
static void
test_message_parse_empty_structure (void)
{
const guint8 data[] =
{
'l', /* little-endian byte order */
0x02, /* message type (method return) */
0x00, /* message flags (none) */
0x01, /* major protocol version */
0x08, 0x00, 0x00, 0x00, /* body length (in bytes) */
0x00, 0x00, 0x00, 0x00, /* message serial */
/* a{yv} of header fields */
0x20, 0x00, 0x00, 0x00, /* array length (in bytes), must be a multiple of 8 */
0x01, /* array key (PATH) */
0x01, /* signature length */
'o', /* type (OBJECT_PATH) */
0x00, /* nul terminator */
0x05, 0x00, 0x00, 0x00, /* length 5 */
'/', 'p', 'a', 't', 'h', 0x00, 0x00, 0x00, /* string '/path' and padding */
0x03, /* array key (MEMBER) */
0x01, /* signature length */
's', /* type (STRING) */
0x00, /* nul terminator */
0x06, 0x00, 0x00, 0x00, /* length 6 */
'M', 'e', 'm', 'b', 'e', 'r', 0x00, 0x00, /* string 'Member' and padding */
0x08, /* array key (SIGNATURE) */
0x01, /* signature length */
'g', /* type (SIGNATURE) */
0x00, /* nul terminator */
0x03, /* length 3 */
'a', '(', ')', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* type 'a()' and padding */
0x08, 0x00, 0x00, 0x00, /* array length: 4 bytes */
0x00, 0x00, 0x00, 0x00, /* padding to 8 bytes */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* array data */
0x00
};
gsize size = sizeof (data);
GDBusMessage *message = NULL;
GError *local_error = NULL;
g_test_summary ("Test that empty structures are rejected when parsing.");
g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2557");
message = g_dbus_message_new_from_blob ((guchar *) data, size,
G_DBUS_CAPABILITY_FLAGS_NONE,
&local_error);
g_assert_error (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT);
g_assert_cmpstr (local_error->message, ==, "Empty structures (tuples) are not allowed in D-Bus");
g_assert_null (message);
g_clear_error (&local_error);
}
static void
test_message_serialize_empty_structure (void)
{
GDBusMessage *message;
GVariantBuilder builder;
gsize size = 0;
GError *local_error = NULL;
g_test_summary ("Test that empty structures are rejected when serializing.");
g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2557");
message = g_dbus_message_new ();
g_variant_builder_init (&builder, G_VARIANT_TYPE ("(a())"));
g_variant_builder_open (&builder, G_VARIANT_TYPE ("a()"));
g_variant_builder_add (&builder, "()");
g_variant_builder_close (&builder);
g_dbus_message_set_message_type (message, G_DBUS_MESSAGE_TYPE_METHOD_CALL);
g_dbus_message_set_header (message, G_DBUS_MESSAGE_HEADER_FIELD_PATH,
g_variant_new_object_path ("/path"));
g_dbus_message_set_header (message, G_DBUS_MESSAGE_HEADER_FIELD_MEMBER,
g_variant_new_string ("Member"));
g_dbus_message_set_body (message, g_variant_builder_end (&builder));
g_dbus_message_to_blob (message, &size, G_DBUS_CAPABILITY_FLAGS_NONE, &local_error);
g_assert_error (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT);
g_assert_cmpstr (local_error->message, ==, "Empty structures (tuples) are not allowed in D-Bus");
g_clear_error (&local_error);
g_clear_object (&message);
}
/* ---------------------------------------------------------------------------------------------------- */
int
@ -1550,6 +1634,8 @@ main (int argc,
test_message_serialize_header_checks);
g_test_add_func ("/gdbus/message-serialize/double-array",
test_message_serialize_double_array);
g_test_add_func ("/gdbus/message-serialize/empty-structure",
test_message_serialize_empty_structure);
g_test_add_func ("/gdbus/message-parse/empty-arrays-of-arrays",
test_message_parse_empty_arrays_of_arrays);
@ -1567,6 +1653,8 @@ main (int argc,
test_message_parse_deep_body_nesting);
g_test_add_func ("/gdbus/message-parse/truncated",
test_message_parse_truncated);
g_test_add_func ("/gdbus/message-parse/empty-structure",
test_message_parse_empty_structure);
return g_test_run();
}

9
glib/garray.c
View File

@ -1001,7 +1001,7 @@ g_array_maybe_expand (GRealArray *array,
memset (g_array_elt_pos (array, array->elt_capacity), 0,
g_array_elt_len (array, want_len - array->elt_capacity));
array->elt_capacity = want_alloc / array->elt_size;
array->elt_capacity = MIN (want_alloc / array->elt_size, G_MAXUINT);
}
}
@ -1518,9 +1518,10 @@ g_ptr_array_maybe_expand (GRealPtrArray *array,
if ((array->len + len) > array->alloc)
{
guint old_alloc = array->alloc;
array->alloc = g_nearest_pow (array->len + len);
array->alloc = MAX (array->alloc, MIN_ARRAY_SIZE);
array->pdata = g_realloc (array->pdata, sizeof (gpointer) * array->alloc);
gsize want_alloc = g_nearest_pow (sizeof (gpointer) * (array->len + len));
want_alloc = MAX (want_alloc, MIN_ARRAY_SIZE);
array->alloc = MIN (want_alloc / sizeof (gpointer), G_MAXUINT);
array->pdata = g_realloc (array->pdata, want_alloc);
if (G_UNLIKELY (g_mem_gc_friendly))
for ( ; old_alloc < array->alloc; old_alloc++)
array->pdata [old_alloc] = NULL;

5
glib/gvariant-serialiser.c
View File

@ -1587,6 +1587,9 @@ g_variant_serialised_byteswap (GVariantSerialised serialised)
gboolean
g_variant_serialised_is_normal (GVariantSerialised serialised)
{
if (serialised.depth >= G_VARIANT_MAX_RECURSION_DEPTH)
return FALSE;
DISPATCH_CASES (serialised.type_info,
return gvs_/**/,/**/_is_normal (serialised);
@ -1595,8 +1598,6 @@ g_variant_serialised_is_normal (GVariantSerialised serialised)
if (serialised.data == NULL)
return FALSE;
if (serialised.depth >= G_VARIANT_MAX_RECURSION_DEPTH)
return FALSE;
/* some hard-coded terminal cases */
switch (g_variant_type_info_get_type_char (serialised.type_info))