1 Security bug fix from upstream which can be deleted when we bring in 

     2 3.20.2

     3 

     4 From 634ab70d9f03b1650be4b8259091ca3036f0fbf9 Mon Sep 17 00:00:00 2001

     5 From: Hanno Boeck <[email protected]>

     6 Date: Mon, 11 Jul 2016 10:37:03 -0400

     7 Subject: main: fix heap overflow in dbus-launch wrapping

     8 

     9 I have discovered a heap overflow with the help of an address sanitizer.

    10 

    11 The require_dbus_session() function has this code:

    12 

    13         new_argv = g_malloc (argc + 3 * sizeof (*argv));

    14 

    15 The intention is to allocate space for (argc + 3) pointers. However obviously a

    16 parenthesis is missing, therefore only argc bytes + 3 * pointer size gets

    17 allocated, which is insufficient space. This leads to invalid memory writes.

    18 

    19 The fix is trivial: Parentheses around argc + 3.

    20 

    21 https://bugzilla.gnome.org/show_bug.cgi?id=768441

    22 ---

    23  gnome-session/main.c | 2 +-

    24  1 file changed, 1 insertion(+), 1 deletion(-)

    25 

    26 diff --git a/gnome-session/main.c b/gnome-session/main.c

    27 index 9f3ca0f..bd23824 100644

    28 --- a/gnome-session/main.c

    29 +++ b/gnome-session/main.c

    30 @@ -187,7 +187,7 @@ require_dbus_session (int      argc,

    31                                TRUE);

    32  

    33          /* +2 for our new arguments, +1 for NULL */

    34 -        new_argv = g_malloc (argc + 3 * sizeof (*argv));

    35 +        new_argv = g_malloc ((argc + 3) * sizeof (*argv));

    36  

    37          new_argv[0] = "dbus-launch";

    38          new_argv[1] = "--exit-with-session";