gvariant: Fix bounds checking in GVariant text format parser (!236) · Merge requests · GNOME / GLib

Philip Withnall requested to merge pwithnall/glib:1481-variant-parse-overflow into master Aug 09, 2018

The token_stream_peek() functions were not doing any bounds checking, so could potentially read 1 byte off the end of the input blob. This was never noticed, since the input stream is almost always a nul-terminated string. However, g_variant_parse() does allow non-nul-terminated strings to be used with a @limit parameter, and the bugs become apparent under valgrind if that parameter is used.

This includes modifications to the test cases to cover the non-nul-terminated case.

Spotted by ossfuzz.

Signed-off-by: Philip Withnall withnall@endlessm.com

Closes #1481 (closed)

gvariant: Fix bounds checking in GVariant text format parser

Merge request reports