luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-02-05 02:36:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

gvariant-serialiser: Prevent unbounded recursion in is_normal()

Browse Source 
This fixes a bug in 7c4e6e9fbe473de0401c778c6b0c4aad27d5145a.

The original approach in that commit accidentally only checked the depth
at the leaf nodes in the variant tree, whereas actually the depth should
be checked before recursing to avoid stack overflow.

It neglected to consider that `g_variant_serialised_is_normal()` would
be recursed into by some of the `DISPATCH(_is_normal)` cases. When that
happened, the depth check was after the recursion so couldn’t prevent a
stack overflow.

Fixes: #2572
This commit is contained in:
Sebastian Wilhelmi 2022-01-06 20:50:34 +00:00 committed by Philip Withnall
parent 5ca038cf57
commit 77233f6f07
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
glib/gvariant-serialiser.c
View File

@ -1587,6 +1587,9 @@ g_variant_serialised_byteswap (GVariantSerialised serialised)
gboolean
g_variant_serialised_is_normal (GVariantSerialised serialised)
{
if (serialised.depth >= G_VARIANT_MAX_RECURSION_DEPTH)
return FALSE;
DISPATCH_CASES (serialised.type_info,
return gvs_/**/,/**/_is_normal (serialised);
@ -1595,8 +1598,6 @@ g_variant_serialised_is_normal (GVariantSerialised serialised)
if (serialised.data == NULL)
return FALSE;
if (serialised.depth >= G_VARIANT_MAX_RECURSION_DEPTH)
return FALSE;
/* some hard-coded terminal cases */
switch (g_variant_type_info_get_type_char (serialised.type_info))