connection: Prevent pointer overflow from large lengths. - wayland

diff options

author	Michal Srb <msrb@suse.com>	2018-08-14 13:07:53 +0200
committer	Derek Foreman <derek.foreman.samsung@gmail.com>	2018-08-17 10:59:20 -0500
commit	f7fdface41a9205c12aedf7fe04aba7792402909 (patch)
tree	d9ee5cf00ae47ef34504131f0be063f581998684 /tests/cpp-compile-test.cpp
parent	connection: Prevent integer overflow in DIV_ROUNDUP. (diff)
download	wayland-f7fdface41a9205c12aedf7fe04aba7792402909.tar wayland-f7fdface41a9205c12aedf7fe04aba7792402909.tar.gz wayland-f7fdface41a9205c12aedf7fe04aba7792402909.tar.bz2 wayland-f7fdface41a9205c12aedf7fe04aba7792402909.tar.lz wayland-f7fdface41a9205c12aedf7fe04aba7792402909.tar.xz wayland-f7fdface41a9205c12aedf7fe04aba7792402909.tar.zst wayland-f7fdface41a9205c12aedf7fe04aba7792402909.zip

connection: Prevent pointer overflow from large lengths.

If the remote side sends sufficiently large `length` field, it will overflow the `p` pointer. Technically it is undefined behavior, in practice it makes `p < end`, so the length check passes. Attempts to access the data later causes crashes. This issue manifests only on 32bit systems, but the behavior is undefined everywhere. Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk> Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>

Diffstat (limited to 'tests/cpp-compile-test.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: