From a9108f8bfd26da9d5054cce56c5dcd9292181240 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Fri, 10 Aug 2018 10:28:06 +0100 Subject: [PATCH] gvariant: Fix more bounds checking in GVariant text format parser token_stream_prepare() was over-reading at the start of bytestring literals (`b'blah'`). Add tests for that, and for some other situations regarding bytestring literal parsing, in order to try and get full branch coverage of that bit of code. oss-fuzz#9805 Signed-off-by: Philip Withnall --- glib/gvariant-parser.c | 3 ++- glib/tests/gvariant.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c index 233a19f7c..335c71425 100644 --- a/glib/gvariant-parser.c +++ b/glib/gvariant-parser.c @@ -197,7 +197,8 @@ token_stream_prepare (TokenStream *stream) break; case 'b': - if (stream->stream[1] == '\'' || stream->stream[1] == '"') + if (stream->stream + 1 != stream->end && + (stream->stream[1] == '\'' || stream->stream[1] == '"')) { for (end = stream->stream + 2; end != stream->end; end++) if (*end == stream->stream[1] || *end == '\0' || diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c index 5aac3de53..de8e42d0b 100644 --- a/glib/tests/gvariant.c +++ b/glib/tests/gvariant.c @@ -3892,6 +3892,17 @@ test_parse_failures (void) "string 4", "7-8:", "can not parse as", "\x0a", "1:", "expected value", "((", "2:", "expected value", + "(b", "1:", "expected value", + "b'", "0-2:", "unterminated string constant", + "b\"", "0-2:", "unterminated string constant", + "b'a", "0-3:", "unterminated string constant", + "b\"a", "0-3:", "unterminated string constant", + "b'\\", "0-3:", "unterminated string constant", + "b\"\\", "0-3:", "unterminated string constant", + "b'\\'", "0-4:", "unterminated string constant", + "b\"\\\"", "0-4:", "unterminated string constant", + "b'\\'a", "0-5:", "unterminated string constant", + "b\"\\\"a", "0-5:", "unterminated string constant", }; gint i;