On Apr 17, 2014 10:37 AM, "Hardening" <[email protected]> wrote: > > Le 17/04/2014 17:20, Ander Conselvan de Oliveira a écrit : > >> From: Ander Conselvan de Oliveira <[email protected]> >> >> If a message was too big to fit in the connection buffer, the code >> in wl_buffer_put would just write past the end of it. >> >> I haven't seen any real world use case that would trigger this bug, but >> it was possible to trigger it by sending a long enough string to the >> wl_data_source.offer request.
I don't think this issue is one that can be client-triggered since we check everything pretty well when it comes in. (I haven't done a full audit in a while.) It should only be an issue if the client or server sends the other a string or array that's too long. Previously it would cause the sender to crash but throwing an error is probably better. >> >> https://bugs.freedesktop.org/show_bug.cgi?id=69267 > > > Perhaps this should be marked as a security issue. If a wayland client can control an answer generated by the server, it would be able to overflow the buffer and corrupt the compositor's memory. I haven't check if it's not feasible. > > Regards. > > -- > David FORT > website: http://www.hardening-consulting.com/ > > _______________________________________________ > wayland-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/wayland-devel
_______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
