2005-02-06 Havoc Pennington <hp@redhat.com>

	* dbus/dbus-message-factory.c (generate_special): more tests

	* dbus/dbus-marshal-validate.c (validate_body_helper): detect
	array length that exceeds the maximum

5 files changed, 182 insertions, 27 deletions

diff --git a/ChangeLog b/ChangeLog
index cbde9ade..7678f5b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2005-02-06  Havoc Pennington  <hp@redhat.com>
+
+	* dbus/dbus-message-factory.c (generate_special): more tests
+
+	* dbus/dbus-marshal-validate.c (validate_body_helper): detect
+	array length that exceeds the maximum
+
 2005-02-05  Havoc Pennington  <hp@redhat.com>
 
 	* dbus/dbus-message-factory.c (generate_special): more test cases,
diff --git a/dbus/dbus-marshal-basic.c b/dbus/dbus-marshal-basic.c
index 84a9ccaf..a443ea35 100644
--- a/dbus/dbus-marshal-basic.c
+++ b/dbus/dbus-marshal-basic.c
@@ -577,8 +577,8 @@ _dbus_marshal_read_basic (const DBusString      *str,
       }
       break;
     default:
-      _dbus_warn ("type %s not a basic type\n",
-                  _dbus_type_to_string (type));
+      _dbus_warn ("type %s %d not a basic type\n",
+                  _dbus_type_to_string (type), type);
       _dbus_assert_not_reached ("not a basic type");
       break;
     }
@@ -757,6 +757,9 @@ marshal_len_followed_by_bytes (int                  marshal_as,
 
   if (marshal_as == MARSHAL_AS_SIGNATURE)
     {
+      _dbus_assert (data_len <= DBUS_MAXIMUM_SIGNATURE_LENGTH);
+      _dbus_assert (data_len <= 255); /* same as max sig len right now */
+      
       if (!_dbus_string_insert_byte (str, pos, data_len))
         goto oom;
 
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
index c1d95820..1639fb83 100644
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@@ -266,7 +266,7 @@ validate_body_helper (DBusTypeReader       *reader,
               }
 
             if (claimed_len > (unsigned long) (end - p))
-              return DBUS_INVALID_STRING_LENGTH_OUT_OF_BOUNDS;
+              return DBUS_INVALID_LENGTH_OUT_OF_BOUNDS;
 
             if (current_type == DBUS_TYPE_OBJECT_PATH)
               {
@@ -294,6 +294,9 @@ validate_body_helper (DBusTypeReader       *reader,
                 DBusValidity validity;
                 const unsigned char *array_end;
 
+                if (claimed_len > DBUS_MAXIMUM_ARRAY_LENGTH)
+                  return DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM;
+                
                 /* Remember that the reader is types only, so we can't
                  * use it to iterate over elements. It stays the same
                  * for all elements.
diff --git a/dbus/dbus-marshal-validate.h b/dbus/dbus-marshal-validate.h
index 8989d508..74f4bbf2 100644
--- a/dbus/dbus-marshal-validate.h
+++ b/dbus/dbus-marshal-validate.h
@@ -55,7 +55,9 @@ typedef enum
   DBUS_VALID = 0,
   DBUS_INVALID_UNKNOWN_TYPECODE = 1,
   DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE = 2,
-  DBUS_INVALID_SIGNATURE_TOO_LONG = 3,
+  DBUS_INVALID_SIGNATURE_TOO_LONG = 3, /* this one is impossible right now since
+                                        * you can't put a too-long value in a byte
+                                        */
   DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION = 4,
   DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION = 5,
   DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED = 6,
@@ -87,27 +89,26 @@ typedef enum
   DBUS_INVALID_MISSING_MEMBER = 32,
   DBUS_INVALID_MISSING_ERROR_NAME = 33,
   DBUS_INVALID_MISSING_REPLY_SERIAL = 34,
-  DBUS_INVALID_STRING_LENGTH_OUT_OF_BOUNDS = 35,
-  DBUS_INVALID_ARRAY_LENGTH_OUT_OF_BOUNDS = 36,
-  DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM = 37,
-  DBUS_INVALID_BAD_PATH = 38,
-  DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 39,
-  DBUS_INVALID_BAD_UTF8_IN_STRING = 40,
-  DBUS_INVALID_ARRAY_LENGTH_INCORRECT = 41,
-  DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 42,
-  DBUS_INVALID_VARIANT_SIGNATURE_BAD = 43,
-  DBUS_INVALID_VARIANT_SIGNATURE_EMPTY = 44,
-  DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES = 45,
-  DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL = 46,
-  DBUS_INVALID_STRING_MISSING_NUL = 47,
-  DBUS_INVALID_SIGNATURE_MISSING_NUL = 48,
-  DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION = 49,
-  DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED = 50,
-  DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED = 51,
-  DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS = 52,
-  DBUS_INVALID_DICT_ENTRY_HAS_ONLY_ONE_FIELD = 53,
-  DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 54,
-  DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 55,
+  DBUS_INVALID_LENGTH_OUT_OF_BOUNDS = 35,
+  DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM = 36,
+  DBUS_INVALID_BAD_PATH = 37,
+  DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 38,
+  DBUS_INVALID_BAD_UTF8_IN_STRING = 39,
+  DBUS_INVALID_ARRAY_LENGTH_INCORRECT = 40,
+  DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 41,
+  DBUS_INVALID_VARIANT_SIGNATURE_BAD = 42,
+  DBUS_INVALID_VARIANT_SIGNATURE_EMPTY = 43,
+  DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES = 44,
+  DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL = 45,
+  DBUS_INVALID_STRING_MISSING_NUL = 46,
+  DBUS_INVALID_SIGNATURE_MISSING_NUL = 47,
+  DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION = 48,
+  DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED = 49,
+  DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED = 50,
+  DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS = 51,
+  DBUS_INVALID_DICT_ENTRY_HAS_ONLY_ONE_FIELD = 52,
+  DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 53,
+  DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 54,
   DBUS_VALIDITY_LAST
 } DBusValidity;
 
diff --git a/dbus/dbus-message-factory.c b/dbus/dbus-message-factory.c
index adcb9b2e..37c3d38d 100644
--- a/dbus/dbus-message-factory.c
+++ b/dbus/dbus-message-factory.c
@@ -315,6 +315,22 @@ simple_method_return (void)
   return message;
 }
 
+static DBusMessage*
+simple_error (void)
+{
+  DBusMessage *message;
+  message =  dbus_message_new (DBUS_MESSAGE_TYPE_ERROR);
+  if (message == NULL)
+    _dbus_assert_not_reached ("oom");
+
+  if (!dbus_message_set_error_name (message, "foo.bar"))
+    _dbus_assert_not_reached ("oom");
+  
+  set_reply_serial (message);
+  
+  return message;
+}
+
 static dbus_bool_t
 generate_special (DBusMessageDataIter   *iter,
                   DBusString            *data,
@@ -354,7 +370,7 @@ generate_special (DBusMessageDataIter   *iter,
     }
   else if (item_seq == 1)
     {
-      char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH+1];
+      char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH+2];
       const char *v_STRING;
       int i;
       
@@ -372,6 +388,7 @@ generate_special (DBusMessageDataIter   *iter,
           long_sig[i] = DBUS_TYPE_ARRAY;
           ++i;
         }
+      long_sig[i] = DBUS_TYPE_INVALID;
 
       v_STRING = long_sig;
       if (!_dbus_header_set_field_basic (&message->header,
@@ -389,7 +406,7 @@ generate_special (DBusMessageDataIter   *iter,
     }
   else if (item_seq == 2)
     {
-      char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*2+3];
+      char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*2+4];
       const char *v_STRING;
       int i;
       
@@ -416,6 +433,7 @@ generate_special (DBusMessageDataIter   *iter,
           long_sig[i] = DBUS_STRUCT_END_CHAR;
           ++i;
         }
+      long_sig[i] = DBUS_TYPE_INVALID;
       
       v_STRING = long_sig;
       if (!_dbus_header_set_field_basic (&message->header,
@@ -592,6 +610,129 @@ generate_special (DBusMessageDataIter   *iter,
       
       *expected_validity = DBUS_INVALID_MISSING_REPLY_SERIAL;
     }
+  else if (item_seq == 15)
+    {
+      message = simple_error ();
+
+      if (!dbus_message_set_error_name (message, NULL))
+        _dbus_assert_not_reached ("oom");
+      
+      generate_from_message (data, expected_validity, message);
+      
+      *expected_validity = DBUS_INVALID_MISSING_ERROR_NAME;
+    }
+  else if (item_seq == 16)
+    {
+      char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*3+6];
+      const char *v_STRING;
+      int i;
+      int n_begins;
+      
+      message = simple_method_call ();
+      if (!dbus_message_append_args (message,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INVALID))
+        _dbus_assert_not_reached ("oom");
+
+      i = 0;
+      while (i <= (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*2 + 2))
+        {
+          long_sig[i] = DBUS_TYPE_ARRAY;
+          ++i;
+          long_sig[i] = DBUS_DICT_ENTRY_BEGIN_CHAR;
+          ++i;
+        }
+      n_begins = i / 2;
+
+      long_sig[i] = DBUS_TYPE_INT32;
+      ++i;
+      long_sig[i] = DBUS_TYPE_INT32;
+      ++i;
+      
+      while (n_begins > 0)
+        {
+          long_sig[i] = DBUS_DICT_ENTRY_END_CHAR;
+          ++i;
+          n_begins -= 1;
+        }
+      long_sig[i] = DBUS_TYPE_INVALID;
+      
+      v_STRING = long_sig;
+      if (!_dbus_header_set_field_basic (&message->header,
+                                         DBUS_HEADER_FIELD_SIGNATURE,
+                                         DBUS_TYPE_SIGNATURE,
+                                         &v_STRING))
+        _dbus_assert_not_reached ("oom");
+      
+      _dbus_header_get_field_raw (&message->header,
+                                  DBUS_HEADER_FIELD_SIGNATURE,
+                                  NULL, &pos);
+      generate_from_message (data, expected_validity, message);
+      
+      *expected_validity = DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION;
+    }
+  else if (item_seq == 17)
+    {
+      message = simple_method_call ();
+      if (!dbus_message_append_args (message,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INVALID))
+        _dbus_assert_not_reached ("oom");
+                                     
+      _dbus_header_get_field_raw (&message->header,
+                                  DBUS_HEADER_FIELD_SIGNATURE,
+                                  NULL, &pos);
+      generate_from_message (data, expected_validity, message);
+
+      _dbus_string_set_byte (data, pos + 1, DBUS_TYPE_ARRAY);
+      _dbus_string_set_byte (data, pos + 2, DBUS_DICT_ENTRY_BEGIN_CHAR);
+      
+      *expected_validity = DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED;
+    }
+  else if (item_seq == 18)
+    {
+      message = simple_method_call ();
+      if (!dbus_message_append_args (message,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INVALID))
+        _dbus_assert_not_reached ("oom");
+                                     
+      _dbus_header_get_field_raw (&message->header,
+                                  DBUS_HEADER_FIELD_SIGNATURE,
+                                  NULL, &pos);
+      generate_from_message (data, expected_validity, message);
+      
+      _dbus_string_set_byte (data, pos + 1, DBUS_DICT_ENTRY_END_CHAR);
+      
+      *expected_validity = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+    }
+  else if (item_seq == 19)
+    {
+      message = simple_method_call ();
+      if (!dbus_message_append_args (message,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INT32, &v_INT32,
+                                     DBUS_TYPE_INVALID))
+        _dbus_assert_not_reached ("oom");
+                                     
+      _dbus_header_get_field_raw (&message->header,
+                                  DBUS_HEADER_FIELD_SIGNATURE,
+                                  NULL, &pos);
+      generate_from_message (data, expected_validity, message);
+
+      _dbus_string_set_byte (data, pos + 1, DBUS_TYPE_ARRAY);
+      _dbus_string_set_byte (data, pos + 2, DBUS_DICT_ENTRY_BEGIN_CHAR);
+      _dbus_string_set_byte (data, pos + 3, DBUS_DICT_ENTRY_END_CHAR);
+      
+      *expected_validity = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
+    }
   else
     {
       return FALSE;