[gjs] gi: assert we don't access argument arrays out of bounds
- From: Johan Dahlin <johan src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gjs] gi: assert we don't access argument arrays out of bounds
- Date: Tue, 2 Mar 2010 19:05:04 +0000 (UTC)
commit dc6ac45305258f38331c6b01bb3a10d0e0565679
Author: Tommi Komulainen <tko litl com>
Date: Tue Mar 2 12:43:39 2010 +0000
gi: assert we don't access argument arrays out of bounds
https://bugzilla.gnome.org/show_bug.cgi?id=611591
gi/function.c | 29 +++++++++++++++++++++++++----
1 files changed, 25 insertions(+), 4 deletions(-)
---
diff --git a/gi/function.c b/gi/function.c
index 9f6bc09..93a429b 100644
--- a/gi/function.c
+++ b/gi/function.c
@@ -486,6 +486,7 @@ gjs_invoke_c_function(JSContext *context,
guint8 processed_in_args;
guint8 n_args, i, argv_pos;
guint8 in_args_pos, out_args_pos, inout_args_pos;
+ guint8 in_args_len, out_args_len, inout_args_len;
guint8 can_throw_gerror, did_throw_gerror;
GError *local_error = NULL;
guint8 failed, postinvoke_release_failed;
@@ -529,10 +530,14 @@ gjs_invoke_c_function(JSContext *context,
return JS_FALSE;
}
- in_arg_cvalues = g_newa(GArgument, function->invoker.cif.nargs);
- in_arg_pointers = g_newa(gpointer, function->invoker.cif.nargs);
- out_arg_cvalues = g_newa(GArgument, function->js_out_argc > 1 ? function->js_out_argc - 1 : 0);
- inout_original_arg_cvalues = g_newa(GArgument, function->inout_argc);
+ in_args_len = function->invoker.cif.nargs;
+ out_args_len = function->js_out_argc > 1 ? function->js_out_argc - 1 : 0;
+ inout_args_len = function->inout_argc;
+
+ in_arg_cvalues = g_newa(GArgument, in_args_len);
+ in_arg_pointers = g_newa(gpointer, in_args_len);
+ out_arg_cvalues = g_newa(GArgument, out_args_len);
+ inout_original_arg_cvalues = g_newa(GArgument, inout_args_len);
failed = FALSE;
in_args_pos = 0; /* index into in_arg_cvalues */
@@ -546,6 +551,8 @@ gjs_invoke_c_function(JSContext *context,
GIBaseInfo *container = g_base_info_get_container((GIBaseInfo *) function->info);
GIInfoType type = g_base_info_get_type(container);
+ g_assert_cmpuint(0, <, in_args_len);
+
if (type == GI_INFO_TYPE_STRUCT || type == GI_INFO_TYPE_BOXED) {
in_arg_cvalues[0].v_pointer = gjs_c_struct_from_boxed(context, obj);
} else if (type == GI_INFO_TYPE_UNION) {
@@ -567,9 +574,13 @@ gjs_invoke_c_function(JSContext *context,
g_callable_info_load_arg( (GICallableInfo*) function->info, i, &arg_info);
direction = g_arg_info_get_direction(&arg_info);
+ g_assert_cmpuint(in_args_pos, <, in_args_len);
in_arg_pointers[in_args_pos] = &in_arg_cvalues[in_args_pos];
if (direction == GI_DIRECTION_OUT) {
+ g_assert_cmpuint(out_args_pos, <, out_args_len);
+ g_assert_cmpuint(in_args_pos, <, in_args_len);
+
out_arg_cvalues[out_args_pos].v_pointer = NULL;
in_arg_cvalues[in_args_pos].v_pointer = &out_arg_cvalues[out_args_pos];
out_args_pos++;
@@ -582,6 +593,7 @@ gjs_invoke_c_function(JSContext *context,
g_arg_info_load_type(&arg_info, &ainfo);
type_tag = g_type_info_get_tag(&ainfo);
+ g_assert_cmpuint(in_args_pos, <, in_args_len);
in_value = &in_arg_cvalues[in_args_pos];
if (g_slist_find(callback_arg_indices, GUINT_TO_POINTER((guint)i)) != NULL) {
@@ -626,6 +638,10 @@ gjs_invoke_c_function(JSContext *context,
}
if (!failed && direction == GI_DIRECTION_INOUT) {
+ g_assert_cmpuint(in_args_pos, <, in_args_len);
+ g_assert_cmpuint(out_args_pos, <, out_args_len);
+ g_assert_cmpuint(inout_args_pos, <, inout_args_len);
+
out_arg_cvalues[out_args_pos] = inout_original_arg_cvalues[inout_args_pos] = in_arg_cvalues[in_args_pos];
in_arg_cvalues[in_args_pos].v_pointer = &out_arg_cvalues[out_args_pos];
out_args_pos++;
@@ -650,6 +666,7 @@ gjs_invoke_c_function(JSContext *context,
}
if (can_throw_gerror) {
+ g_assert_cmpuint(in_args_pos, <, in_args_len);
in_arg_cvalues[in_args_pos].v_pointer = &local_error;
in_arg_pointers[in_args_pos] = &(in_arg_cvalues[in_args_pos]);
in_args_pos++;
@@ -691,6 +708,7 @@ gjs_invoke_c_function(JSContext *context,
if (return_tag != GI_TYPE_TAG_VOID) {
gboolean arg_failed;
+ g_assert_cmpuint(next_rval, <, function->js_out_argc);
arg_failed = !gjs_value_from_g_argument(context, &return_values[next_rval],
&return_info, (GArgument*)&return_value);
if (arg_failed)
@@ -733,9 +751,11 @@ release:
GITransfer transfer;
if (direction == GI_DIRECTION_IN) {
+ g_assert_cmpuint(in_args_pos, <, in_args_len);
arg = &in_arg_cvalues[in_args_pos];
transfer = g_arg_info_get_ownership_transfer(&arg_info);
} else {
+ g_assert_cmpuint(inout_args_pos, <, inout_args_len);
arg = &inout_original_arg_cvalues[inout_args_pos];
++inout_args_pos;
/* For inout, transfer refers to what we get back from the function; for
@@ -767,6 +787,7 @@ release:
g_assert(next_rval < function->js_out_argc);
+ g_assert_cmpuint(out_args_pos, <, out_args_len);
arg = &out_arg_cvalues[out_args_pos];
arg_failed = FALSE;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]