diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2013-08-27 19:16:42 +0100 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-05-13 18:44:44 +0100 |
commit | b9a5ea27f9788a2b02ea3c5e6c700ffcc48a49d3 (patch) | |
tree | 18915cff2255a82eeae6273af5ad5d733e8a96c9 | |
parent | c8b2d74503d41af3edcbef3a506850dede6bed49 (diff) | |
download | dbus-b9a5ea27f9788a2b02ea3c5e6c700ffcc48a49d3.tar.gz |
Avoid reading beyond the length of a variable
Appending &some as DBUS_TYPE_INT64, DBUS_TYPE_UINT64 or DBUS_TYPE_DOUBLE,
where "some" is an int, reads beyond the bounds of that variable.
Use a zero-filled DBusBasicValue instead.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=30350
-rw-r--r-- | dbus/dbus-message-util.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/dbus/dbus-message-util.c b/dbus/dbus-message-util.c index ded72036..5acd541e 100644 --- a/dbus/dbus-message-util.c +++ b/dbus/dbus-message-util.c @@ -1611,10 +1611,14 @@ _dbus_message_test (const char *test_data_dir) /* Test enumeration of array elements */ for (i = strlen (basic_types) - 1; i > 0; i--) { + DBusBasicValue val; int some; char* signature = _dbus_strdup ("?"); + signature[0] = basic_types[i]; s = "SomeThingToSay"; + memset (&val, '\0', sizeof (val)); + message = dbus_message_new_method_call ("de.ende.test", "/de/ende/test", "de.ende.Test", "ArtistName"); _dbus_assert (message != NULL); @@ -1626,7 +1630,7 @@ _dbus_message_test (const char *test_data_dir) if (basic_types[i] == DBUS_TYPE_STRING) dbus_message_iter_append_basic (&array_iter, DBUS_TYPE_STRING, &s); else - dbus_message_iter_append_basic (&array_iter, basic_types[i], &some); + dbus_message_iter_append_basic (&array_iter, basic_types[i], &val); } dbus_message_iter_close_container (&iter, &array_iter); dbus_message_iter_init (message, &iter); |