From: Unsung Lee <unsung.lee@samsung.com>
Date: Thu, 20 Jun 2024 09:06:28 +0000 (+0900)
Subject: gkdbus: Fix underflow and unreachable code bug
X-Git-Tag: accepted/tizen/unified/20240626.155256^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bf1a528986a5edf1c89925d26a2376c959db89ee;p=platform%2Fupstream%2Fglib.git

gkdbus: Fix underflow and unreachable code bug

Fix bugs that potentially cause underflow or unreachable code, so
update kdbus2.patch file.

Third input argument of g_array_remove_range() requires unsigned int type,
so negative value can cause underflow bug.

g_kdbus_msg_append_payload_vec() and g_kdbus_msg_append_payload_memfd() always
return TRUE, so add_body_vectors() return value is always TRUE.
In conclusion, error handler code for add_body_vectors() is useless, so remove it.

Change-Id: I1bbe9b60c5699db79a7821896397b3c2916087cc
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
---

diff --git a/packaging/kdbus2.patch b/packaging/kdbus2.patch
index edf5f8f..81ec5eb 100644
--- a/packaging/kdbus2.patch
+++ b/packaging/kdbus2.patch
@@ -67,14 +67,14 @@ Date:   Fri Aug 21 16:47:05 2015 +0200
  gio/gdbusproxy.c               |   20 +-
  gio/gdbusutils.c               |    9 +
  gio/gioenums.h                 |   60 +
- gio/gkdbus.c                   | 4356 ++++++++++++++++++++++++++++++++
+ gio/gkdbus.c                   | 4361 ++++++++++++++++++++++++++++++++
  gio/gkdbus.h                   |  203 ++
  gio/gkdbusfakedaemon.c         |  694 +++++
  gio/gkdbusfakedaemon.h         |   39 +
  gio/gunixfdlist.h              |    3 +
  gio/meson.build                |   19 +-
  meson_options.txt              |   10 +
- 21 files changed, 6936 insertions(+), 351 deletions(-)
+ 21 files changed, 6941 insertions(+), 351 deletions(-)
  mode change 100644 => 100755 gio/gdbusconnection.c
  mode change 100644 => 100755 gio/gdbusnamewatching.c
  create mode 100755 gio/gkdbus.c
@@ -83,7 +83,7 @@ Date:   Fri Aug 21 16:47:05 2015 +0200
  create mode 100644 gio/gkdbusfakedaemon.h
 
 diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
-index b73ff0d..e23dff8 100644
+index b73ff0d6e..e23dff861 100644
 --- a/gio/gdbusaddress.c
 +++ b/gio/gdbusaddress.c
 @@ -42,6 +42,9 @@
@@ -313,7 +313,7 @@ index b73ff0d..e23dff8 100644
 diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
 old mode 100644
 new mode 100755
-index 1ee2ab4..960a83c
+index 1ee2ab44f..960a83cbf
 --- a/gio/gdbusconnection.c
 +++ b/gio/gdbusconnection.c
 @@ -116,6 +116,9 @@
@@ -2117,7 +2117,7 @@ index 1ee2ab4..960a83c
 +}
 +#endif
 diff --git a/gio/gdbusconnection.h b/gio/gdbusconnection.h
-index feda7c0..b4452b3 100644
+index feda7c002..b4452b3f5 100644
 --- a/gio/gdbusconnection.h
 +++ b/gio/gdbusconnection.h
 @@ -32,6 +32,8 @@
@@ -2177,7 +2177,7 @@ index feda7c0..b4452b3 100644
  void             g_dbus_connection_start_message_processing   (GDBusConnection    *connection) TIZEN_PUBLIC_DEPRECATED_API;
  GIO_AVAILABLE_IN_ALL
 diff --git a/gio/gdbusmessage.c b/gio/gdbusmessage.c
-index adddb31..3894d19 100644
+index adddb3154..3894d19dd 100644
 --- a/gio/gdbusmessage.c
 +++ b/gio/gdbusmessage.c
 @@ -3868,3 +3868,10 @@ g_dbus_message_copy (GDBusMessage  *message,
@@ -2192,7 +2192,7 @@ index adddb31..3894d19 100644
 +  g_hash_table_iter_init (iter, message->headers);
 +}
 diff --git a/gio/gdbusmethodinvocation.c b/gio/gdbusmethodinvocation.c
-index e5a9166..cd210c2 100644
+index e5a916681..cd210c249 100644
 --- a/gio/gdbusmethodinvocation.c
 +++ b/gio/gdbusmethodinvocation.c
 @@ -310,6 +310,44 @@ g_dbus_method_invocation_get_parameters (GDBusMethodInvocation *invocation)
@@ -2241,7 +2241,7 @@ index e5a9166..cd210c2 100644
   * g_dbus_method_invocation_get_user_data: (skip)
   * @invocation: A #GDBusMethodInvocation.
 diff --git a/gio/gdbusmethodinvocation.h b/gio/gdbusmethodinvocation.h
-index eecef03..bbfa190 100644
+index eecef0329..bbfa19048 100644
 --- a/gio/gdbusmethodinvocation.h
 +++ b/gio/gdbusmethodinvocation.h
 @@ -91,6 +91,11 @@ GIO_AVAILABLE_IN_ALL
@@ -2257,7 +2257,7 @@ index eecef03..bbfa190 100644
  gpointer               g_dbus_method_invocation_get_user_data        (GDBusMethodInvocation *invocation) TIZEN_PUBLIC_DEPRECATED_API;
  
 diff --git a/gio/gdbusnameowning.c b/gio/gdbusnameowning.c
-index 289ea03..5090d26 100644
+index 289ea036a..5090d2621 100644
 --- a/gio/gdbusnameowning.c
 +++ b/gio/gdbusnameowning.c
 @@ -926,6 +926,19 @@ g_bus_unown_name (guint owner_id)
@@ -2297,7 +2297,7 @@ index 289ea03..5090d26 100644
 diff --git a/gio/gdbusnamewatching.c b/gio/gdbusnamewatching.c
 old mode 100644
 new mode 100755
-index c834fe1..fc230a8
+index c834fe10e..fc230a86c
 --- a/gio/gdbusnamewatching.c
 +++ b/gio/gdbusnamewatching.c
 @@ -353,9 +353,6 @@ on_name_owner_changed (GDBusConnection *connection,
@@ -2367,7 +2367,7 @@ index c834fe1..fc230a8
  }
  
 diff --git a/gio/gdbusobjectmanagerclient.c b/gio/gdbusobjectmanagerclient.c
-index b6b3b21..8997e8c 100644
+index b6b3b212c..8997e8c37 100644
 --- a/gio/gdbusobjectmanagerclient.c
 +++ b/gio/gdbusobjectmanagerclient.c
 @@ -1133,7 +1133,6 @@ subscribe_signals (GDBusObjectManagerClient *manager,
@@ -2426,7 +2426,7 @@ index b6b3b21..8997e8c 100644
        manager->priv->match_rule = NULL;
      }
 diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c
-index 2c9238c..4132e82 100644
+index 2c9238c63..4132e820a 100644
 --- a/gio/gdbusprivate.c
 +++ b/gio/gdbusprivate.c
 @@ -63,6 +63,10 @@
@@ -2715,7 +2715,7 @@ index 2c9238c..4132e82 100644
      }
  
 diff --git a/gio/gdbusprivate.h b/gio/gdbusprivate.h
-index e7a5bfa..898b11d 100644
+index e7a5bfa4f..898b11d28 100644
 --- a/gio/gdbusprivate.h
 +++ b/gio/gdbusprivate.h
 @@ -31,16 +31,13 @@ G_BEGIN_DECLS
@@ -2757,7 +2757,7 @@ index e7a5bfa..898b11d 100644
  
  #endif /* __G_DBUS_PRIVATE_H__ */
 diff --git a/gio/gdbusproxy.c b/gio/gdbusproxy.c
-index afc6fe9..3166dd6 100644
+index afc6fe94e..3166dd64b 100644
 --- a/gio/gdbusproxy.c
 +++ b/gio/gdbusproxy.c
 @@ -2598,26 +2598,10 @@ out:
@@ -2790,7 +2790,7 @@ index afc6fe9..3166dd6 100644
  
  /* ---------------------------------------------------------------------------------------------------- */
 diff --git a/gio/gdbusutils.c b/gio/gdbusutils.c
-index 4b4b7e1..7fb3305 100644
+index 4b4b7e1ef..7fb33050c 100644
 --- a/gio/gdbusutils.c
 +++ b/gio/gdbusutils.c
 @@ -453,6 +453,11 @@ g_dbus_gvariant_to_gvalue (GVariant  *value,
@@ -2817,7 +2817,7 @@ index 4b4b7e1..7fb3305 100644
            ret = g_variant_ref_sink (g_variant_new_double (g_value_get_double (gvalue)));
            break;
 diff --git a/gio/gioenums.h b/gio/gioenums.h
-index c820cd3..c8b9eb1 100644
+index c820cd36d..c8b9eb1dc 100644
 --- a/gio/gioenums.h
 +++ b/gio/gioenums.h
 @@ -999,6 +999,66 @@ typedef enum
@@ -2889,10 +2889,10 @@ index c820cd3..c8b9eb1 100644
   * @G_BUS_NAME_WATCHER_FLAGS_NONE: No flags set.
 diff --git a/gio/gkdbus.c b/gio/gkdbus.c
 new file mode 100755
-index 0000000..aeb4408
+index 000000000..e62fc38cd
 --- /dev/null
 +++ b/gio/gkdbus.c
-@@ -0,0 +1,4356 @@
+@@ -0,0 +1,4361 @@
 +/* GIO - GLib Input, Output and Streaming Library
 + *
 + * Copyright (C) 2015 Samsung Electronics
@@ -6375,7 +6375,7 @@ index 0000000..aeb4408
 +  return header_size;
 +}
 +
-+static void
++static gboolean
 +make_single_header_vector (GVariantVectors *body_vectors,
 +                           gsize            header_size,
 +                           gboolean         lg_h_field_exist)
@@ -6413,6 +6413,11 @@ index 0000000..aeb4408
 +          i++;
 +        }
 +
++      if (i == 0) {
++        g_byte_array_free(header, TRUE);
++        return FALSE;
++      }
++
 +      /* Sanity check if the first vector contains at least the complete header */
 +      g_assert_cmpint (added_vectors_size, >=, header_size);
 +
@@ -6423,6 +6428,8 @@ index 0000000..aeb4408
 +      g_array_remove_range (body_vectors->vectors, 1, i-1);
 +    }
 +  /* else: If there is only a single header vector, then just go */
++
++  return TRUE;
 +}
 +
 +static gboolean
@@ -6480,7 +6487,7 @@ index 0000000..aeb4408
 +    }
 +}
 +
-+static gboolean
++static void
 +add_body_vectors (struct kdbus_msg *msg,
 +                  GVariantVectors  *body_vectors,
 +                  gint             *memfd_fd)
@@ -6540,21 +6547,17 @@ index 0000000..aeb4408
 +                  else
 +                    {
 +                      /* attach memfd item */
-+                      if (!g_kdbus_msg_append_payload_memfd (msg, *memfd_fd, vector.data.pointer - bytes_data, vector.size))
-+                        return FALSE;
++                      g_kdbus_msg_append_payload_memfd (msg, *memfd_fd, vector.data.pointer - bytes_data, vector.size);
 +                    }
 +                } /* *memfd_fd == -1 */
 +            } /* use_memfd */
 +
 +          if (!use_memfd)
-+            if (!g_kdbus_msg_append_payload_vec (msg, vector.data.pointer, vector.size))
-+              return FALSE;
++            g_kdbus_msg_append_payload_vec (msg, vector.data.pointer, vector.size);
 +        }
 +      else
-+        if (!g_kdbus_msg_append_payload_vec (msg, body_vectors->extra_bytes->data + vector.data.offset, vector.size))
-+          return FALSE;
++        g_kdbus_msg_append_payload_vec (msg, body_vectors->extra_bytes->data + vector.data.offset, vector.size);
 +    }
-+  return TRUE;
 +}
 +
 +static gboolean
@@ -6725,7 +6728,15 @@ index 0000000..aeb4408
 +
 +  /* Prepare message body - it is needed for kdbus msg size computation */
 +  header_size = prepare_body_vectors (worker, message, &body_vectors, &lg_h_field_exist);
-+  make_single_header_vector (&body_vectors, header_size, lg_h_field_exist);
++  if (!make_single_header_vector (&body_vectors, header_size, lg_h_field_exist))
++  {
++    g_set_error (error, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
++                 "message serialisation error: make a single vector");
++    g_warning ("kdbus: message serialisation error: make a single vector");
++    GLIB_PRIVATE_CALL(g_variant_vectors_deinit) (&body_vectors);
++
++    return result;
++  }
 +
 +  /* We precompute needed size for the message to allocate exact space instead
 +     of some arbitrary amount */
@@ -6756,13 +6767,7 @@ index 0000000..aeb4408
 +  /* File descriptors */
 +  add_file_descriptors_item (msg, message);
 +
-+  if (!add_body_vectors (msg, &body_vectors, &memfd_fd))
-+    {
-+      g_set_error (error, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
-+                   "message serialisation error: body vectors");
-+      g_warning ("kdbus: message serialisation error: body vectors");
-+      goto out;
-+    }
++  add_body_vectors (msg, &body_vectors, &memfd_fd);
 +
 +  /*
 +   * set message flags
@@ -7251,7 +7256,7 @@ index 0000000..aeb4408
 +}
 diff --git a/gio/gkdbus.h b/gio/gkdbus.h
 new file mode 100644
-index 0000000..acbc0d5
+index 000000000..acbc0d5a5
 --- /dev/null
 +++ b/gio/gkdbus.h
 @@ -0,0 +1,203 @@
@@ -7460,7 +7465,7 @@ index 0000000..acbc0d5
 +#endif /* __G_KDBUS_H__ */
 diff --git a/gio/gkdbusfakedaemon.c b/gio/gkdbusfakedaemon.c
 new file mode 100644
-index 0000000..04272f3
+index 000000000..04272f382
 --- /dev/null
 +++ b/gio/gkdbusfakedaemon.c
 @@ -0,0 +1,694 @@
@@ -8160,7 +8165,7 @@ index 0000000..04272f3
 +}
 diff --git a/gio/gkdbusfakedaemon.h b/gio/gkdbusfakedaemon.h
 new file mode 100644
-index 0000000..969b7b5
+index 000000000..969b7b50d
 --- /dev/null
 +++ b/gio/gkdbusfakedaemon.h
 @@ -0,0 +1,39 @@
@@ -8204,7 +8209,7 @@ index 0000000..969b7b5
 +
 +#endif /* __G_KDBUSFAKEDAEMON_H__ */
 diff --git a/gio/gunixfdlist.h b/gio/gunixfdlist.h
-index df5587e..d5a9e8e 100644
+index df5587eea..d5a9e8e99 100644
 --- a/gio/gunixfdlist.h
 +++ b/gio/gunixfdlist.h
 @@ -71,6 +71,9 @@ GIO_AVAILABLE_IN_ALL
@@ -8218,7 +8223,7 @@ index df5587e..d5a9e8e 100644
  gint                    g_unix_fd_list_append                           (GUnixFDList  *list,
                                                                           gint          fd,
 diff --git a/gio/meson.build b/gio/meson.build
-index a4e9b30..f230c05 100644
+index a4e9b30f2..f230c05d0 100644
 --- a/gio/meson.build
 +++ b/gio/meson.build
 @@ -231,6 +231,13 @@ gdbus_sources = files(
@@ -8262,7 +8267,7 @@ index a4e9b30..f230c05 100644
    c_args : [gio_c_args, gio_c_args_internal],
    objc_args : [gio_c_args, gio_c_args_internal],
 diff --git a/meson_options.txt b/meson_options.txt
-index 517d575..7c95d03 100644
+index 517d5757c..7c95d0306 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
 @@ -93,6 +93,16 @@ option('nls',
@@ -8283,5 +8288,5 @@ index 517d575..7c95d03 100644
         type : 'feature',
         value : 'disabled',
 -- 
-2.25.1
+2.17.1