[gnome-session] main: fix heap overflow in dbus-launch wrapping
- From: Ray Strode <halfline src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-session] main: fix heap overflow in dbus-launch wrapping
- Date: Fri, 22 Jul 2016 17:14:51 +0000 (UTC)
commit 7ee3571c79ea202a8309f64f3cb235119178d080
Author: Hanno Boeck <hanno hboeck de>
Date: Mon Jul 11 10:37:03 2016 -0400
main: fix heap overflow in dbus-launch wrapping
I have discovered a heap overflow with the help of an address sanitizer.
The require_dbus_session() function has this code:
new_argv = g_malloc (argc + 3 * sizeof (*argv));
The intention is to allocate space for (argc + 3) pointers. However obviously a
parenthesis is missing, therefore only argc bytes + 3 * pointer size gets
allocated, which is insufficient space. This leads to invalid memory writes.
The fix is trivial: Parentheses around argc + 3.
https://bugzilla.gnome.org/show_bug.cgi?id=768441
gnome-session/main.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/gnome-session/main.c b/gnome-session/main.c
index 3dd6529..4f5b7f5 100644
--- a/gnome-session/main.c
+++ b/gnome-session/main.c
@@ -189,7 +189,7 @@ require_dbus_session (int argc,
TRUE);
/* +2 for our new arguments, +1 for NULL */
- new_argv = g_malloc (argc + 3 * sizeof (*argv));
+ new_argv = g_malloc ((argc + 3) * sizeof (*argv));
new_argv[0] = "dbus-launch";
new_argv[1] = "--exit-with-session";
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]