From 21a204147b16539b3eda3143b32844c49e29f4d4 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 17 Aug 2023 11:33:49 +0000 Subject: [PATCH] gvariant: Propagate trust when getting a child of a serialised variant If a variant is trusted, that means all its children are trusted, so ensure that their checked offsets are set as such. This allows a lot of the offset table checks to be avoided when getting children from trusted serialised tuples, which speeds things up. No unit test is included because this is just a performance fix. If there are other slownesses, or regressions, in serialised `GVariant` performance, the fuzzing setup will catch them like it did this one. This change does reduce the time to run the oss-fuzz reproducer from 80s to about 0.7s on my machine. Signed-off-by: Philip Withnall Fixes: #2841 oss-fuzz#54314 CVE: CVE-2023-32636 Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/21a204147b16539b3eda3143b32844c49e29f4d4] Signed-off-by: Siddharth Doshi --- glib/gvariant-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c index 1b9d5cc..ed57c70 100644 --- a/glib/gvariant-core.c +++ b/glib/gvariant-core.c @@ -1173,8 +1173,8 @@ g_variant_get_child_value (GVariant *value, child->contents.serialised.bytes = g_bytes_ref (value->contents.serialised.bytes); child->contents.serialised.data = s_child.data; - child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to; - child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to; + child->contents.serialised.ordered_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.ordered_offsets_up_to; + child->contents.serialised.checked_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.checked_offsets_up_to; return child; } -- 2.24.4