Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-22735

Stack overwrite in QDBusDemarshaller

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: P1: Critical P1: Critical
    • 4.8.x, 5.0.0 Beta 1, 5.0.0 RC 1
    • 4.7.4, 4.8.0, 5.0.0
    • D-Bus
    • None

      QDbusArgument extraction operators and QDBusDemarshaller that implements the extraction do not check the type of the extracted value. Helper function template qIterGet in qdbusdemarshaller.cpp that is used for extracting basic data types only reserves space from the stack for the expected type as specified by client. If the actual type in the DBus parameter is larger stack will be overwritten in the helper function by at most 7 bytes (expected one byte, received dbus_uint_64_t of size 8 bytes).

      See also http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html#ga41c23a05e552d0574d0444d4693d18ab

        For Gerrit Dashboard: QTBUG-22735
        # Subject Branch Project Status CR V
        9500,3 Fix stack overwrite in QDBusDemarshaller master qt/qtbase Status: MERGED +2 0

            Unassigned Unassigned
            srosenda Sami Rosendahl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes