I just were browsing the code and I discovered that in wl_buffer_put is possible to put into buffer more than 8192 bytes at once which means that we will use memory which doesn't belong to wl_buffer. I don't know if it's on purpose (because I did some debugging and nowhere were passed such an amount of bytes) but still this can be a hole.
I successfully got SIGSEGV doing this:
void *long_data = malloc(big_number)
wl_connection_write(connection, long_data, big_number);
Author: Ander Conselvan de Oliveira <firstname.lastname@example.org>
Date: Thu Apr 17 18:20:37 2014 +0300
connection: Don't write past the end of the connection buffer
If a message was too big to fit in the connection buffer, the code
in wl_buffer_put would just write past the end of it.
I haven't seen any real world use case that would trigger this bug, but
it was possible to trigger it by sending a long enough string to the