From 2c57d3d939535fdf4e7ef3d74205d4cae9ba9e4b Mon Sep 17 00:00:00 2001
From: Boram Park <boram1288.park@samsung.com>
Date: Wed, 13 Sep 2017 09:51:21 +0900
Subject: [PATCH] connection: add sanity check to avoid buffer overflow

Before putting data into a buffer, we have to make sure that the data size is
smaller than not only the buffer's full size but also the buffer's empty size.

Signed-off-by: Boram Park <boram1288.park@samsung.com>
---
 src/connection.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/connection.c b/src/connection.c
index 5c3d187..53b1621 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -63,14 +63,17 @@ struct wl_connection {
 	int want_flush;
 };
 
+static uint32_t wl_buffer_size(struct wl_buffer *b);
+
 static int
 wl_buffer_put(struct wl_buffer *b, const void *data, size_t count)
 {
-	uint32_t head, size;
+	uint32_t head, size, empty;
 
-	if (count > sizeof(b->data)) {
+	empty = sizeof(b->data) - wl_buffer_size(b);
+	if (count > empty) {
 		wl_log("Data too big for buffer (%d > %d).\n",
-		       count, sizeof(b->data));
+		       count, empty);
 		errno = E2BIG;
 		return -1;
 	}
-- 
1.9.1