luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-02-24 19:22:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

gvariant: Limit GVariant strings to G_MAXSSIZE

Browse Source 
When validating a string to see if it’s valid UTF-8, we pass a gsize to
g_utf8_validate(), which only takes a gssize. For large gsize values,
this will result in the gssize actually being negative, which will
change g_utf8_validate()’s behaviour to stop at the first nul byte. That
would allow subsequent nul bytes through the string validator, against
its documented behaviour.

Add a test case.

oss-fuzz#10319

Signed-off-by: Philip Withnall <withnall@endlessm.com>
This commit is contained in:
Philip Withnall 2018-09-18 13:29:18 +01:00
parent 6cc2994dfb
commit 355c4b4176
2 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
glib/gvariant-serialiser.c
View File

@ -1643,6 +1643,7 @@ g_variant_serialiser_is_string (gconstpointer data,
const gchar *expected_end; const gchar *expected_end;
const gchar *end; const gchar *end;
/* Strings must end with a nul terminator. */
if (size == 0) if (size == 0)
return FALSE; return FALSE;
@ -1651,7 +1652,7 @@ g_variant_serialiser_is_string (gconstpointer data,
if (*expected_end != '\0') if (*expected_end != '\0')
return FALSE; return FALSE;
g_utf8_validate (data, size, &end); g_utf8_validate_len (data, size, &end);
return end == expected_end; return end == expected_end;
} }

26
glib/tests/gvariant.c
View File

@ -4833,6 +4833,30 @@ test_normal_checking_tuple_offsets (void)
g_variant_unref (variant); g_variant_unref (variant);
} }
/* Test that an empty object path is normalised successfully to the base object
* path, /. */
static void
test_normal_checking_empty_object_path (void)
{
const guint8 data[] = {
0x20, 0x20, 0x00, 0x00, 0x00, 0x00,
'(', 'h', '(', 'a', 'i', 'a', 'b', 'i', 'o', ')', ')',
};
gsize size = sizeof (data);
GVariant *variant = NULL;
GVariant *normal_variant = NULL;
variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size,
FALSE, NULL, NULL);
g_assert_nonnull (variant);
normal_variant = g_variant_get_normal_form (variant);
g_assert_nonnull (normal_variant);
g_variant_unref (normal_variant);
g_variant_unref (variant);
}
int int
main (int argc, char **argv) main (int argc, char **argv)
{ {
@ -4905,6 +4929,8 @@ main (int argc, char **argv)
test_normal_checking_array_offsets); test_normal_checking_array_offsets);
g_test_add_func ("/gvariant/normal-checking/tuple-offsets", g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
test_normal_checking_tuple_offsets); test_normal_checking_tuple_offsets);
g_test_add_func ("/gvariant/normal-checking/empty-object-path",
test_normal_checking_empty_object_path);
g_test_add_func ("/gvariant/recursion-limits/variant-in-variant", g_test_add_func ("/gvariant/recursion-limits/variant-in-variant",
test_recursion_limits_variant_in_variant); test_recursion_limits_variant_in_variant);