On Sat, Nov 16, 2013 at 02:31:03PM +0100, Lubomir Rintel wrote:
> Otherwise the tail of fds_in buffer would just shift beyond the beginning.
> That confuses the actual request handler and results in a crash further on
> due to corrupted tail.
>
> Signed-off-by: Lubomir Rintel <lkund...@v3.sk>
> ---
> Changes since v1:
> Erroring out early instead of calling the request handler with invalid
> fd number
That looks good now, committed.
Kristian
> src/connection.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/src/connection.c b/src/connection.c
> index 451b93e..1d8b61b 100644
> --- a/src/connection.c
> +++ b/src/connection.c
> @@ -744,6 +744,15 @@ wl_connection_demarshal(struct wl_connection *connection,
> p = next;
> break;
> case 'h':
> + if (connection->fds_in.tail == connection->fds_in.head)
> {
> + printf("file descriptor expected, "
> + "object (%d), message %s(%s)\n",
> + closure->sender_id, message->name,
> + message->signature);
> + errno = EINVAL;
> + goto err;
> + }
> +
> wl_buffer_copy(&connection->fds_in, &fd, sizeof fd);
> connection->fds_in.tail += sizeof fd;
> closure->args[i].h = fd;
> --
> 1.8.4.2
>
_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
