4bff0a
From 871bb5457c5951870d447f53c976a1a1f2dac85d Mon Sep 17 00:00:00 2001
4bff0a
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
4bff0a
Date: Fri, 3 Aug 2018 14:46:57 +0200
4bff0a
Subject: [PATCH] bus-message: fix calculation of offsets table for arrays
4bff0a
4bff0a
This is similar to the grandparent commit 'fix calculation of offsets table',
4bff0a
except that now the change is for array elements. Same story as before: we need
4bff0a
to make sure that the offsets increase enough taking alignment into account.
4bff0a
4bff0a
While at it, rename 'p' to 'previous' to match similar code in other places.
4bff0a
4bff0a
(cherry picked from commit f88214cf9d66c93f4d22c4c8980de9ee3ff45bab)
4bff0a
4bff0a
Resolves: #1696224
4bff0a
---
4bff0a
 src/libsystemd/sd-bus/bus-message.c            |  17 ++++++++++++-----
4bff0a
 ...sh-d8f3941c74219b4c03532c9b244d5ea539c61af5 | Bin 0 -> 41 bytes
4bff0a
 2 files changed, 12 insertions(+), 5 deletions(-)
4bff0a
 create mode 100644 test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
4bff0a
4bff0a
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
4bff0a
index c8f7937102..ac823aaf58 100644
4bff0a
--- a/src/libsystemd/sd-bus/bus-message.c
4bff0a
+++ b/src/libsystemd/sd-bus/bus-message.c
4bff0a
@@ -3532,7 +3532,7 @@ static int bus_message_enter_array(
4bff0a
 
4bff0a
         size_t rindex;
4bff0a
         void *q;
4bff0a
-        int r, alignment;
4bff0a
+        int r;
4bff0a
 
4bff0a
         assert(m);
4bff0a
         assert(c);
4bff0a
@@ -3558,6 +3558,7 @@ static int bus_message_enter_array(
4bff0a
 
4bff0a
         if (!BUS_MESSAGE_IS_GVARIANT(m)) {
4bff0a
                 /* dbus1 */
4bff0a
+                int alignment;
4bff0a
 
4bff0a
                 r = message_peek_body(m, &rindex, 4, 4, &q);
4bff0a
                 if (r < 0)
4bff0a
@@ -3591,7 +3592,8 @@ static int bus_message_enter_array(
4bff0a
                 *n_offsets = 0;
4bff0a
 
4bff0a
         } else {
4bff0a
-                size_t where, p = 0, framing, sz;
4bff0a
+                size_t where, previous = 0, framing, sz;
4bff0a
+                int alignment;
4bff0a
                 unsigned i;
4bff0a
 
4bff0a
                 /* gvariant: variable length array */
4bff0a
@@ -3619,17 +3621,22 @@ static int bus_message_enter_array(
4bff0a
                 if (!*offsets)
4bff0a
                         return -ENOMEM;
4bff0a
 
4bff0a
+                alignment = bus_gvariant_get_alignment(c->signature);
4bff0a
+                assert(alignment > 0);
4bff0a
+
4bff0a
                 for (i = 0; i < *n_offsets; i++) {
4bff0a
-                        size_t x;
4bff0a
+                        size_t x, start;
4bff0a
+
4bff0a
+                        start = ALIGN_TO(previous, alignment);
4bff0a
 
4bff0a
                         x = bus_gvariant_read_word_le((uint8_t*) q + i * sz, sz);
4bff0a
                         if (x > c->item_size - sz)
4bff0a
                                 return -EBADMSG;
4bff0a
-                        if (x < p)
4bff0a
+                        if (x < start)
4bff0a
                                 return -EBADMSG;
4bff0a
 
4bff0a
                         (*offsets)[i] = rindex + x;
4bff0a
-                        p = x;
4bff0a
+                        previous = x;
4bff0a
                 }
4bff0a
 
4bff0a
                 *item_size = (*offsets)[0] - rindex;
4bff0a
diff --git a/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 b/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
4bff0a
new file mode 100644
4bff0a
index 0000000000000000000000000000000000000000..26262e1149825a114a89bf9cee5aeca0be463984
4bff0a
GIT binary patch
4bff0a
literal 41
4bff0a
rcmd1#|DTC5gMmSS0SHWtIT#p03
4bff0a
4bff0a
literal 0
4bff0a
HcmV?d00001
4bff0a