[PATCH 0/3] Fix crashes caused by near-MAX_UINT32 lengths.
Michal Srb
msrb at suse.com
Tue Aug 14 11:07:50 UTC 2018
Hi,
Sorry for the long delay. I rewrote it using different method. IMO it is
cleaner now too.
There were two kinds of overflows - integer overflow when rounding the
length and pointer/integer overflow when adding the length to the `p`.
So I split it into two patches + one with tests.
Michal Srb (3):
tests: Demarshalling of very long array/string lengths.
connection: Prevent integer overflow in DIV_ROUNDUP.
connection: Prevent pointer overflow from large lengths.
src/connection.c | 31 +++++++++++++++++++------------
tests/connection-test.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+), 12 deletions(-)
--
2.16.4
More information about the wayland-devel
mailing list