review.tizen.org Git - profile/ivi/qtbase.git/commit

author	Sami Rosendahl <ext-sami.1.rosendahl@nokia.com>
	Wed, 23 Nov 2011 08:03:26 +0000 (10:03 +0200)
committer	Qt by Nokia <qt-info@nokia.com>
	Wed, 23 Nov 2011 18:14:12 +0000 (19:14 +0100)
commit	b851c764a61c0de781ef3447230a0a6a3f4a0ed9
tree	e027346c7289ecc2a74bf1dd54d6d3531c7911ad	tree \| snapshot
parent	c3160c84af3cb14c0edc5896be0ca637377e3805	commit \| diff

Fix stack overwrite in QDBusDemarshaller

QDBusArgument extraction operators and QDBusDemarshaller that implements
the extraction do not check the type of the extracted value.
Helper function template qIterGet in qdbusdemarshaller.cpp that is used
for extracting basic data types only reserves space from the stack for
the expected type as specified by client.
If the actual type in the DBus parameter is larger stack will be
overwritten in the helper function by at most 7 bytes (expected one byte,
received dbus_uint_64_t of size 8 bytes).

The fix always reserves space for the largest basic type dbus_uint64_t
readable by dbus_message_iter_get_basic API.

See also http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html#ga41c23a05e552d0574d04

Task-number: QTBUG-22735
Change-Id: I9aa25b279852ac8acc40199a39910ea4002042d7
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

src/dbus/qdbusdemarshaller.cpp		diff \| blob \| history
tests/auto/dbus/qdbusmarshall/tst_qdbusmarshall.cpp		diff \| blob \| history