Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-22735

Stack overwrite in QDBusDemarshaller

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 4.8.x, 5.0.0 Beta 1, 5.0.0 RC 1
    • 4.7.4, 4.8.0, 5.0.0
    • D-Bus
    • None

    Description

      QDbusArgument extraction operators and QDBusDemarshaller that implements the extraction do not check the type of the extracted value. Helper function template qIterGet in qdbusdemarshaller.cpp that is used for extracting basic data types only reserves space from the stack for the expected type as specified by client. If the actual type in the DBus parameter is larger stack will be overwritten in the helper function by at most 7 bytes (expected one byte, received dbus_uint_64_t of size 8 bytes).

      See also http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html#ga41c23a05e552d0574d0444d4693d18ab

      Attachments

        For Gerrit Dashboard: QTBUG-22735
        # Subject Branch Project Status CR V
        9500,3 Fix stack overwrite in QDBusDemarshaller master qt/qtbase Status: MERGED +2 0

        Activity

          People

            Unassigned Unassigned
            srosenda Sami Rosendahl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes