Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
4.7.4, 4.8.0, 5.0.0
-
None
Description
QDbusArgument extraction operators and QDBusDemarshaller that implements the extraction do not check the type of the extracted value. Helper function template qIterGet in qdbusdemarshaller.cpp that is used for extracting basic data types only reserves space from the stack for the expected type as specified by client. If the actual type in the DBus parameter is larger stack will be overwritten in the helper function by at most 7 bytes (expected one byte, received dbus_uint_64_t of size 8 bytes).
See also http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html#ga41c23a05e552d0574d0444d4693d18ab