diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2021-03-25 17:27:23 +0000 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2021-03-25 17:27:23 +0000 |
commit | 760ba5c4f1c083c9fabd3ae37388f16cf9bc2984 (patch) | |
tree | 05c24ff5d4ed24f70f9b4b92a29919397569971b | |
parent | 55cbc3151743a3714a270f5160a86d6772c1ba4e (diff) | |
parent | b657e78add09e7273a26ff4278dbc01c60b90fc1 (diff) | |
download | glib-760ba5c4f1c083c9fabd3ae37388f16cf9bc2984.tar.gz |
Merge branch '2363-alloca-docs' into 'master'
galloca: Clarify alloca() sizes must always be controlled by the program
Closes #2363
See merge request GNOME/glib!2014
-rw-r--r-- | glib/galloca.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/glib/galloca.h b/glib/galloca.h index 47151ee8b..014a0efcb 100644 --- a/glib/galloca.h +++ b/glib/galloca.h @@ -81,6 +81,11 @@ G_END_DECLS * way as out of stack space situations from infinite function recursion, i.e. * with a segmentation fault. * + * - Allowing @size to be specified by an untrusted party would allow for them + * to trigger a segmentation fault by specifying a large size, leading to a + * denial of service vulnerability. @size must always be entirely under the + * control of the program. + * * - Special care has to be taken when mixing alloca() with GNU C variable sized arrays. * Stack space allocated with alloca() in the same scope as a variable sized array * will be freed together with the variable sized array upon exit of that scope, and @@ -96,6 +101,12 @@ G_END_DECLS * * Wraps g_alloca() in a more typesafe manner. * + * As mentioned in the documentation for g_alloca(), @n_structs must always be + * entirely under the control of the program, or you may introduce a denial of + * service vulnerability. In addition, the multiplication of @struct_type by + * @n_structs is not checked, so an overflow may lead to a remote code execution + * vulnerability. + * * Returns: Pointer to stack space for @n_structs chunks of type @struct_type */ #define g_newa(struct_type, n_structs) ((struct_type*) g_alloca (sizeof (struct_type) * (gsize) (n_structs))) |