insufficient input validation in GDBusMenuModel
Submitted by Allison (desrt)
Link to original bug (#728733)
Description
https://errors.ubuntu.com/problem/648b0ee396d66bc960c224a5794f5c22850b51ed shows some crashes caused by insufficient input validation on GDBusMenuModel.
This code was never written with security in mind but it's pretty clear that invalid input from across D-Bus should not cause crashes. It's also scary that we plan to use this code (some day) inside of the shell to speak with sandboxed applications that want to publish app menus...
In this particular case, we don't adequately inspect the position/removed/added fields on changed signals for sanity. We actually make sure that position+removed is in range, but when position is -1 and removed is 1, that's 0...