From: Dan Williams <dcbw@redhat.com>
Date: Thu, 4 Apr 2013 15:49:18 +0000 (-0500)
Subject: Don't access random memory if data slot isn't allocated yet
X-Git-Tag: dbus-1.6.10~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1495c207b4c76e306a3fe666fffe2b95e0326f3e;p=thirdparty%2Fdbus.git

Don't access random memory if data slot isn't allocated yet

If DBUS_DISABLE_ASSERTS was turned on, and a buggy program called
dbus_connection_get_data() with a slot number less than zero (eg,
before even allocating the data slot), random memory would be
accessed and a random value returned.  Anything less than zero
is not a valid slot number and should be rejected by libdbus.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63127
Signed-off-by: Dan Williams <dcbw@redhat.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
---

diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
index ee33b6ccc..66315b3fd 100644
--- a/dbus/dbus-connection.c
+++ b/dbus/dbus-connection.c
@@ -5974,7 +5974,8 @@ dbus_connection_get_data (DBusConnection   *connection,
   void *res;
 
   _dbus_return_val_if_fail (connection != NULL, NULL);
-  
+  _dbus_return_val_if_fail (slot >= 0, NULL);
+
   SLOTS_LOCK (connection);
 
   res = _dbus_data_slot_list_get (&slot_allocator,