Closed zeenix closed 1 year ago
@jwestman Thanks so much for reporting this with all the details. I'm currently on PTO but I'll try and have a look soon. If you could provide a merge request, that'd be even more helpful and greatly appreciated.
In GitLab by @jwestman on Apr 19, 2022, 19:17
Opened an MR: https://gitlab.freedesktop.org/dbus/zbus/-/merge_requests/484
There's another panic at zvariant/src/framing_offsets.rs:23, but I'm not sure how to fix that one.
Opened an MR: https://gitlab.freedesktop.org/dbus/zbus/-/merge_requests/484
:thumbsup:
There's another panic at zvariant/src/framing_offsets.rs:23, but I'm not sure how to fix that one.
If you could just add simple test case, that'd already be very helpful.
mentioned in commit 6edb88a6551fdee00c6953f1fef7a5c09c31f543
In GitLab by @jwestman on Apr 19, 2022, 06:34
Reproducer:
thread 'main' panicked at 'attempt to subtract with overflow', /home/jwestman/.cargo/registry/src/github.com-1ecc6299db9ec823/zvariant-3.1.2/src/gvariant/de.rs:694:29
Some invalid inputs--particularly, an empty input--cause zvariant to panic rather than return an appropriate error. This case is an integer underflow at zvariant/src/gvariant/de.rs:702 when the length of the message is 0. There are several other instances of
len() - 1
in the same file, and I suspect they are also susceptible to invalid inputs.