diff options
author | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2017-03-23 16:27:19 +0900 |
---|---|---|
committer | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2017-03-23 16:27:19 +0900 |
commit | 02a7e00c01ea727eaae6066b2cf1b075be7c3287 (patch) | |
tree | 55153a7b7c70407fbce0e3d237f4ccf938e30188 | |
parent | 2787f0fe5dfe1e880a07bf957aa2a111866f25dc (diff) | |
download | efl-02a7e00c01ea727eaae6066b2cf1b075be7c3287.tar.gz |
ecore_evas extn - fix buffer n check for lock files with untrusted val
the code added by minkyoung has a definite security flaw here trusting
e->response to be within a small range when all it is is an int -
range is not limited other than that... so fix the code to check for
range like further code below does.
this commit went in 2 days ago... so not an existing bug fix.
-rw-r--r-- | src/modules/ecore_evas/engines/extn/ecore_evas_extn.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c b/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c index af5f3de88d..16335da1d2 100644 --- a/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c +++ b/src/modules/ecore_evas/engines/extn/ecore_evas_extn.c @@ -1021,16 +1021,20 @@ _ipc_server_data(void *data, int type EINA_UNUSED, void *event) { Ipc_Data_Update *ipc; int n = e->response; + /* b->lockfd is not enough to ensure the size is same * between what server knows, and client knows. * So should check file lock also. */ - if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf))) - { - EINA_LIST_FREE(extn->file.updates, ipc) + if ((n >= 0) && (n < NBUF)) + { + if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf))) { - free(ipc); + EINA_LIST_FREE(extn->file.updates, ipc) + { + free(ipc); + } + break; } - break; } EINA_LIST_FREE(extn->file.updates, ipc) |