<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW --- - Putting a lot of data into wl_buffer can lead to SIGSEGV" href="https://bugs.freedesktop.org/show_bug.cgi?id=69267">69267</a> </td> </tr> <tr> <th>Assignee</th> <td>wayland-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Summary</th> <td>Putting a lot of data into wl_buffer can lead to SIGSEGV </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Classification</th> <td>Unclassified </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Reporter</th> <td>mchqwerty@gmail.com </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Component</th> <td>wayland </td> </tr> <tr> <th>Product</th> <td>Wayland </td> </tr></table> <p> <div> <pre>Hey, I just were browsing the code and I discovered that in wl_buffer_put is possible to put into buffer more than 8192 bytes at once which means that we will use memory which doesn't belong to wl_buffer. I don't know if it's on purpose (because I did some debugging and nowhere were passed such an amount of bytes) but still this can be a hole. I successfully got SIGSEGV doing this: ... ... void *long_data = malloc(big_number) wl_connection_write(connection, long_data, big_number); ... ...</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>