connection: add sanity check to avoid buffer overflow
Sergi Granell
xerpi.g.12 at gmail.com
Tue Sep 26 15:46:12 UTC 2017
On Thu, 2017-09-14 at 09:21 +0900, Boram Park wrote:
> Before putting data into a buffer, we have to make sure that the data
> size is
> smaller than not only the buffer's full size but also the buffer's empty
> size.
>
> https://bugs.freedesktop.org/show_bug.cgi?id=102690
>
> Signed-off-by: Boram Park <boram1288.park at samsung.com>
> Acked-by: Pekka Paalanen <pekka.paalanen at collabora.co.uk>
> ---
> src/connection.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/src/connection.c b/src/connection.c
> index 5c3d187..53b1621 100644
> --- a/src/connection.c
> +++ b/src/connection.c
> @@ -63,14 +63,17 @@ struct wl_connection {
> int want_flush;
> };
>
> +static uint32_t wl_buffer_size(struct wl_buffer *b);
> +
I think it would be a better idea to move the wl_buffer_size definition
at the top to avoid this forward declaration.
> static int
> wl_buffer_put(struct wl_buffer *b, const void *data, size_t count)
> {
> - uint32_t head, size;
> + uint32_t head, size, empty;
>
> - if (count > sizeof(b->data)) {
> + empty = sizeof(b->data) - wl_buffer_size(b);
> + if (count > empty) {
> wl_log("Data too big for buffer (%d > %d).\n",
> - count, sizeof(b->data));
> + count, empty);
> errno = E2BIG;
> return -1;
> }
Other than that,
Reviewed-by: Sergi Granell <xerpi.g.12 at gmail.com>
More information about the wayland-devel
mailing list