[PATCH 0/3] Fix crashes caused by near-MAX_UINT32 lengths.

Michal Srb msrb at suse.com
Tue Aug 14 11:07:50 UTC 2018


Sorry for the long delay. I rewrote it using different method. IMO it is
cleaner now too.

There were two kinds of overflows - integer overflow when rounding the
length and pointer/integer overflow when adding the length to the `p`.
So I split it into two patches + one with tests.

Michal Srb (3):
  tests: Demarshalling of very long array/string lengths.
  connection: Prevent integer overflow in DIV_ROUNDUP.
  connection: Prevent pointer overflow from large lengths.

 src/connection.c        | 31 +++++++++++++++++++------------
 tests/connection-test.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 12 deletions(-)


More information about the wayland-devel mailing list