tasn pushed a commit to branch efl-1.11. http://git.enlightenment.org/core/efl.git/commit/?id=d4d1bbf944af56ef7e7ac743c22b958ca7794e04
commit d4d1bbf944af56ef7e7ac743c22b958ca7794e04 Author: Tom Hacohen <t...@stosb.com> Date: Wed Oct 22 11:31:06 2014 +0100 Eo id: Fix id security checks for invalid objects. In some cases, invalid object ids (e.g 0x1) would pass validation and represent completely different objects (0x80...01). This happened because we weren't properly checking a given object id is actually an object id. @fix. --- src/lib/eo/eo_ptr_indirection.x | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/lib/eo/eo_ptr_indirection.x b/src/lib/eo/eo_ptr_indirection.x index 4efe667..2553e1d 100644 --- a/src/lib/eo/eo_ptr_indirection.x +++ b/src/lib/eo/eo_ptr_indirection.x @@ -100,6 +100,7 @@ typedef uint32_t Generation_Counter; #define MASK_TABLE_ID ((1 << BITS_TABLE_ID) - 1) #define MASK_ENTRY_ID ((1 << BITS_ENTRY_ID) - 1) #define MASK_GENERATIONS (MAX_GENERATIONS - 1) +#define MASK_OBJ_TAG (((Eo_Id) 1) << (REF_TAG_SHIFT)) /* This only applies to classes. Used to artificially enlarge the class ids * to reduce the likelihood of a clash with normal integers. */ @@ -273,6 +274,12 @@ _eo_obj_pointer_get(const Eo_Id obj_id) DBG("obj_id is NULL. Possibly unintended access?"); return NULL; } + else if (!(obj_id & MASK_OBJ_TAG)) + { + DBG("obj_id is not a valid object id."); + return NULL; + } + EO_DECOMPOSE_ID(obj_id, mid_table_id, table_id, entry_id, generation); /* Check the validity of the entry */ --