From fbb2aaaeb617d72ee4a20a855fc728fcd75ccd9a Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 27 Aug 2013 18:21:17 +0100 Subject: [PATCH 3/3] Avoid reading beyond the length of a variable Appending &some as DBUS_TYPE_INT64, DBUS_TYPE_UINT64 or DBUS_TYPE_DOUBLE, where "some" is an int, reads beyond the bounds of that variable. Use a zero-filled DBusBasicValue instead. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=30350 --- dbus/dbus-message-util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dbus/dbus-message-util.c b/dbus/dbus-message-util.c index e50d04e..782260d 100644 --- a/dbus/dbus-message-util.c +++ b/dbus/dbus-message-util.c @@ -1474,10 +1474,14 @@ _dbus_message_test (const char *test_data_dir) /* Test enumeration of array elements */ for (i = strlen (basic_types) - 1; i > 0; i--) { + DBusBasicValue val; int some; char* signature = _dbus_strdup ("?"); + signature[0] = basic_types[i]; s = "SomeThingToSay"; + memset (val, '\0', sizeof (val)); + message = dbus_message_new_method_call ("de.ende.test", "/de/ende/test", "de.ende.Test", "ArtistName"); _dbus_assert (message != NULL); @@ -1489,7 +1493,7 @@ _dbus_message_test (const char *test_data_dir) if (basic_types[i] == DBUS_TYPE_STRING) dbus_message_iter_append_basic (&array_iter, DBUS_TYPE_STRING, &s); else - dbus_message_iter_append_basic (&array_iter, basic_types[i], &some); + dbus_message_iter_append_basic (&array_iter, basic_types[i], &val); } dbus_message_iter_close_container (&iter, &array_iter); dbus_message_iter_init (message, &iter); -- 1.8.4.rc3