|
1 Security bug fix from upstream which can be deleted when we bring in |
|
2 3.20.2 |
|
3 |
|
4 From 634ab70d9f03b1650be4b8259091ca3036f0fbf9 Mon Sep 17 00:00:00 2001 |
|
5 From: Hanno Boeck <[email protected]> |
|
6 Date: Mon, 11 Jul 2016 10:37:03 -0400 |
|
7 Subject: main: fix heap overflow in dbus-launch wrapping |
|
8 |
|
9 I have discovered a heap overflow with the help of an address sanitizer. |
|
10 |
|
11 The require_dbus_session() function has this code: |
|
12 |
|
13 new_argv = g_malloc (argc + 3 * sizeof (*argv)); |
|
14 |
|
15 The intention is to allocate space for (argc + 3) pointers. However obviously a |
|
16 parenthesis is missing, therefore only argc bytes + 3 * pointer size gets |
|
17 allocated, which is insufficient space. This leads to invalid memory writes. |
|
18 |
|
19 The fix is trivial: Parentheses around argc + 3. |
|
20 |
|
21 https://bugzilla.gnome.org/show_bug.cgi?id=768441 |
|
22 --- |
|
23 gnome-session/main.c | 2 +- |
|
24 1 file changed, 1 insertion(+), 1 deletion(-) |
|
25 |
|
26 diff --git a/gnome-session/main.c b/gnome-session/main.c |
|
27 index 9f3ca0f..bd23824 100644 |
|
28 --- a/gnome-session/main.c |
|
29 +++ b/gnome-session/main.c |
|
30 @@ -187,7 +187,7 @@ require_dbus_session (int argc, |
|
31 TRUE); |
|
32 |
|
33 /* +2 for our new arguments, +1 for NULL */ |
|
34 - new_argv = g_malloc (argc + 3 * sizeof (*argv)); |
|
35 + new_argv = g_malloc ((argc + 3) * sizeof (*argv)); |
|
36 |
|
37 new_argv[0] = "dbus-launch"; |
|
38 new_argv[1] = "--exit-with-session"; |