Arrays of zero-element tuples with non-zero length lead to infinite loops in g_dbus_message_new_from_blob
This is https://oss-fuzz.com/testcase-detail/5606831840428032 and https://oss-fuzz.com/testcase-detail/4510453166899200.
The reason is that when unpacking an array of zero-element tuple (which don't take up any room) with non-zero length the unpacking loop is never left.
Note that https://dbus.freedesktop.org/doc/dbus-specification.html specifically prohibits empty tuples (what they call structures):
Empty structures are not allowed; there must be at least one type code between the parentheses.
I see two ways to resolve this (can be combined):
-
Follow the specification and prohibit empty tuples when encoding and decoding dbus messages. Note that
GVariant
allows empty tuples and serializes them in a different way which doesn't exhibit this problem. -
When deserializing dbus message arrays, error out if no bytes were consumed, as it will now be an infinite loop. This might also prevent similar future problems when decoding arrays of other zero-size objects (if there are any more?). Note that even if ignoring the prohibition of empty tuples, you cannot encode arrays of empty tuples of size greater than 0 in a dbus message.
I'll attach patches for the two solutions soon.
P.S.: Coverage-guided fuzzing is amazing, almost magic.