BUG in dbus/dbus-message-factory.c
Peter Kümmel
syntheticpp at gmx.net
Wed Jun 28 09:49:19 PDT 2006
There is a bug in dbus/dbus-message-factory.c,
the array is too small:
m = DBUS_MAXIMUM_TYPE_RECURSION_DEPTH
the index at line 660 is:
3*m+3+3 + 1 + (3*m+3+3)/3 = 4m+9
so we must allocate with 4m+10.
Index: dbus/dbus-message-factory.c
===================================================================
RCS file: /cvs/dbus/dbus/dbus/dbus-message-factory.c,v
retrieving revision 1.9
diff -u -B -b -r1.9 dbus-message-factory.c
--- dbus/dbus-message-factory.c 6 Sep 2005 22:38:54 -0000 1.9
+++ dbus/dbus-message-factory.c 28 Jun 2006 16:28:00 -0000
@@ -623,7 +623,7 @@
}
else if (item_seq == 16)
{
- char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*4+8];
+ char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*4+10];
const char *v_STRING;
int i;
int n_begins;
More information about the dbus
mailing list