Previously, GVariant has allowed ‘arbitrary’ recursion on GVariantTypes,
but this isn’t really feasible. We have to deal with GVariants from
untrusted sources, and the nature of GVariantType means that another
level of recursion (and hence, for example, another stack frame in your
application) can be added with a single byte in a variant type signature
in the input. This gives malicious input sources far too much leverage
to cause deep stack recursion or massive memory allocations which can
DoS an application.
Limit recursion to 128 levels (which should be more than enough for
anyone™), document it and add a test. This is, handily, also the limit
of 64 applied by the D-Bus specification (§(Valid Signatures)), plus a
bit to allow wrapping of D-Bus messages in additional layers of
variants.
oss-fuzz#9857
Signed-off-by: Philip Withnall <withnall@endlessm.com>
All glib/*.{c,h} files have been processed, as well as gtester-report.
12 of those files are not licensed under LGPL:
gbsearcharray.h
gconstructor.h
glibintl.h
gmirroringtable.h
gscripttable.h
gtranslit-data.h
gunibreak.h
gunichartables.h
gunicomp.h
gunidecomp.h
valgrind.h
win_iconv.c
Some of them are generated files, some are licensed under a BSD-style
license and win_iconv.c is in the public domain.
Sub-directories inside glib/:
deprecated/: processed in a previous commit
glib-mirroring-tab/: already LGPLv2.1+
gnulib/: not modified, the code is copied from gnulib
libcharset/: a copy
pcre/: a copy
tests/: processed in a previous commit
https://bugzilla.gnome.org/show_bug.cgi?id=776504
If we have an input parameter (or return value) we need to use (nullable).
However, if it is an (inout) or (out) parameter, (optional) is sufficient.
It looks like (nullable) could be used for everything according to the
Annotation documentation, but (optional) is more specific.
All locks are now zero-initialised, so we can drop the G_*_INIT macros
for them.
Adjust various users around GLib accordingly and change the docs.
https://bugzilla.gnome.org/show_bug.cgi?id=659866
Merge GVariant variable arguments support and put it under tests.
Also, remove the hack of the test case directly '#include'ing .c files
from glib/. Instead, create a non-installed gvariant-internal.h that
the tests can include and make the symbols in it visible on the symbol
table of the shared library. These symbols (as they are present in no
installed header files) are not part of the API of GLib.
Increase test coverage in a few other areas.
Issue caught by Michael Meeks. This patch based on his.
GVariantTypeInfo was dropping the reference count on the TypeInfo
structure before removing it from the hash table. This means that
another thread could come along and grab the value from the hash table
in the meantime.
Solve this by holding the lock on the table before dropping the
reference.
Also: move the hash table initialisation inside of the lock to remove
the standard double-initialisation race plus a more insidious issue
caused by the fact that we free the hash table once it becomes empty.
1) always emit ending type FIXED for fixed sized items
The serialiser needs to know if it dealing with a fixed sized item
in case the serialised data is corrupt and the item has the wrong
size.
2) add a macro that will be used by test cases to check that all
memory has been freed.
