the code added by minkyoung has a definite security flaw here trusting
e->response to be within a small range when all it is is an int -
range is not limited other than that... so fix the code to check for
range like further code below does.
this commit went in 2 days ago... so not an existing bug fix.
{
Ipc_Data_Update *ipc;
int n = e->response;
+
/* b->lockfd is not enough to ensure the size is same
* between what server knows, and client knows.
* So should check file lock also. */
- if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
- {
- EINA_LIST_FREE(extn->file.updates, ipc)
+ if ((n >= 0) && (n < NBUF))
+ {
+ if (extn->b[n].buf && (!_extnbuf_lock_file_get(extn->b[n].buf)))
{
- free(ipc);
+ EINA_LIST_FREE(extn->file.updates, ipc)
+ {
+ free(ipc);
+ }
+ break;
}
- break;
}
EINA_LIST_FREE(extn->file.updates, ipc)