tasn pushed a commit to branch efl-1.11.
http://git.enlightenment.org/core/efl.git/commit/?id=d4d1bbf944af56ef7e7ac743c22b958ca7794e04
commit d4d1bbf944af56ef7e7ac743c22b958ca7794e04
Author: Tom Hacohen <t...@stosb.com>
Date: Wed Oct 22 11:31:06 2014 +0100
Eo id: Fix id security checks for invalid objects.
In some cases, invalid object ids (e.g 0x1) would pass validation and
represent completely different objects (0x80...01). This happened because
we weren't properly checking a given object id is actually an object id.
@fix.
---
src/lib/eo/eo_ptr_indirection.x | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/lib/eo/eo_ptr_indirection.x b/src/lib/eo/eo_ptr_indirection.x
index 4efe667..2553e1d 100644
--- a/src/lib/eo/eo_ptr_indirection.x
+++ b/src/lib/eo/eo_ptr_indirection.x
@@ -100,6 +100,7 @@ typedef uint32_t Generation_Counter;
#define MASK_TABLE_ID ((1 << BITS_TABLE_ID) - 1)
#define MASK_ENTRY_ID ((1 << BITS_ENTRY_ID) - 1)
#define MASK_GENERATIONS (MAX_GENERATIONS - 1)
+#define MASK_OBJ_TAG (((Eo_Id) 1) << (REF_TAG_SHIFT))
/* This only applies to classes. Used to artificially enlarge the class ids
* to reduce the likelihood of a clash with normal integers. */
@@ -273,6 +274,12 @@ _eo_obj_pointer_get(const Eo_Id obj_id)
DBG("obj_id is NULL. Possibly unintended access?");
return NULL;
}
+ else if (!(obj_id & MASK_OBJ_TAG))
+ {
+ DBG("obj_id is not a valid object id.");
+ return NULL;
+ }
+
EO_DECOMPOSE_ID(obj_id, mid_table_id, table_id, entry_id, generation);
/* Check the validity of the entry */
--
