Commit 7ee3571c authored by Hanno Böck's avatar Hanno Böck Committed by Ray Strode

main: fix heap overflow in dbus-launch wrapping

I have discovered a heap overflow with the help of an address sanitizer.

The require_dbus_session() function has this code:

        new_argv = g_malloc (argc + 3 * sizeof (*argv));

The intention is to allocate space for (argc + 3) pointers. However obviously a
parenthesis is missing, therefore only argc bytes + 3 * pointer size gets
allocated, which is insufficient space. This leads to invalid memory writes.

The fix is trivial: Parentheses around argc + 3.

https://bugzilla.gnome.org/show_bug.cgi?id=768441
parent a3af0469
......@@ -189,7 +189,7 @@ require_dbus_session (int argc,
TRUE);
/* +2 for our new arguments, +1 for NULL */
new_argv = g_malloc (argc + 3 * sizeof (*argv));
new_argv = g_malloc ((argc + 3) * sizeof (*argv));
new_argv[0] = "dbus-launch";
new_argv[1] = "--exit-with-session";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment