Bug 69267

Summary: Putting a lot of data into wl_buffer can lead to SIGSEGV
Product: Wayland Reporter: Marek Chalupa <mchqwerty>
Component: waylandAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Marek Chalupa 2013-09-12 12:04:09 UTC 
Hey,

I just were browsing the code and I discovered that in wl_buffer_put is possible to put into buffer more than 8192 bytes at once which means that we will use memory which doesn't belong to wl_buffer. I don't know if it's on purpose (because I did some debugging and nowhere were passed such an amount of bytes) but still this can be a hole.

I successfully got SIGSEGV doing this:

...
...
void *long_data = malloc(big_number)
wl_connection_write(connection, long_data, big_number);
...
...
Comment 1 Kristian Høgsberg 2014-04-21 21:51:09 UTC 
commit bc609053188cb89bdcd4dbcf6de0eab2217d3274
Author: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Date:   Thu Apr 17 18:20:37 2014 +0300

    connection: Don't write past the end of the connection buffer
    
    If a message was too big to fit in the connection buffer, the code
    in wl_buffer_put would just write past the end of it.
    
    I haven't seen any real world use case that would trigger this bug, but
    it was possible to trigger it by sending a long enough string to the
    wl_data_source.offer request.
    
    https://bugs.freedesktop.org/show_bug.cgi?id=69267

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.