Bug 69267 - Putting a lot of data into wl_buffer can lead to SIGSEGV
Summary: Putting a lot of data into wl_buffer can lead to SIGSEGV
Alias: None
Product: Wayland
Classification: Unclassified
Component: wayland (show other bugs)
Version: unspecified
Hardware: Other All
: medium critical
Assignee: Wayland bug list
QA Contact:
Depends on:
Reported: 2013-09-12 12:04 UTC by Marek Chalupa
Modified: 2014-04-21 21:51 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Marek Chalupa 2013-09-12 12:04:09 UTC

I just were browsing the code and I discovered that in wl_buffer_put is possible to put into buffer more than 8192 bytes at once which means that we will use memory which doesn't belong to wl_buffer. I don't know if it's on purpose (because I did some debugging and nowhere were passed such an amount of bytes) but still this can be a hole.

I successfully got SIGSEGV doing this:

void *long_data = malloc(big_number)
wl_connection_write(connection, long_data, big_number);
Comment 1 Kristian Høgsberg 2014-04-21 21:51:09 UTC
commit bc609053188cb89bdcd4dbcf6de0eab2217d3274
Author: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Date:   Thu Apr 17 18:20:37 2014 +0300

    connection: Don't write past the end of the connection buffer
    If a message was too big to fit in the connection buffer, the code
    in wl_buffer_put would just write past the end of it.
    I haven't seen any real world use case that would trigger this bug, but
    it was possible to trigger it by sending a long enough string to the
    wl_data_source.offer request.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.