Index: power-profiles-daemon-0.11/src/power-profiles-daemon.c =================================================================== --- power-profiles-daemon-0.11.orig/src/power-profiles-daemon.c +++ power-profiles-daemon-0.11/src/power-profiles-daemon.c @@ -537,6 +537,29 @@ holder_disappeared (GDBusConnection *con g_ptr_array_free (cookies, TRUE); } +#define MAX_UNTRUSTED_STR_LEN 1024 +#define MAX_PROFILE_HOLDS 32 + +static gboolean +check_sane_string(const char *s) +{ + guint i; + + for (i = 0; s[i] != 0; i++) { + gchar ch = s[i]; + + if (i > MAX_UNTRUSTED_STR_LEN) + return FALSE; + + if (g_ascii_isalnum(ch) || g_ascii_isspace(ch)) + continue; + + return FALSE; + } + + return TRUE; +} + static void hold_profile (PpdApp *data, GVariant *parameters, @@ -559,6 +582,18 @@ hold_profile (PpdApp *dat return; } + if (!check_sane_string(reason) || !check_sane_string(application_id)) { + g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, + "Input strings are too long or contain invalid characters"); + return; + } + + if (g_hash_table_size(data->profile_holds) > MAX_PROFILE_HOLDS) { + g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_LIMITS_EXCEEDED, + "Too many profile holds already active"); + return; + } + hold = g_new0 (ProfileHold, 1); hold->profile = profile; hold->reason = g_strdup (reason);