Le 17/04/2014 17:20, Ander Conselvan de Oliveira a écrit :
From: Ander Conselvan de Oliveira <[email protected]>
If a message was too big to fit in the connection buffer, the code
in wl_buffer_put would just write past the end of it.
I haven't seen any real world use case that would trigger this bug, but
it was possible to trigger it by sending a long enough string to the
wl_data_source.offer request.
https://bugs.freedesktop.org/show_bug.cgi?id=69267
Perhaps this should be marked as a security issue. If a wayland client
can control an answer generated by the server, it would be able to
overflow the buffer and corrupt the compositor's memory. I haven't check
if it's not feasible.
Regards.
--
David FORT
website: http://www.hardening-consulting.com/
_______________________________________________
wayland-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
