Hi Andrew,

On 03/19/2016 01:00 AM, Andrew Zaborowski wrote:
> ---
>   ell/gvariant-util.c | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/ell/gvariant-util.c b/ell/gvariant-util.c
> index 1aaddc3..61e5b52 100644
> --- a/ell/gvariant-util.c
> +++ b/ell/gvariant-util.c
> @@ -497,6 +497,7 @@ static const void *next_item(struct l_dbus_message_iter *iter,
>   	bool last_member;
>   	unsigned int sig_len;
>   	unsigned int offset_len;
> +	unsigned int len = iter->len;

Looks like this belongs in the if block below.

>
>   	memcpy(sig, iter->sig_start + iter->sig_pos,
>   			iter->sig_len - iter->sig_pos);
> @@ -529,7 +530,14 @@ static const void *next_item(struct l_dbus_message_iter *iter,
>   	}
>
>   	if (iter->container_type != DBUS_CONTAINER_TYPE_ARRAY && last_member) {
> -		*out_item_size = iter->len - iter->pos;
> +		offset_len = offset_length(iter->len, 0);
> +		len = iter->len;
> +
> +		if (iter->offsets && iter->offsets + offset_len <
> +				iter->data + len)
> +			len = iter->offsets + offset_len - iter->data;
> +
> +		*out_item_size = len - iter->pos;

This looks fine to me.  I'm guessing the location of the child 
iterator's offsets was being messed up?  Hence variable length field 
sizes were incorrect.  Right?

>   		goto done;
>   	}
>
>

Regards,
-Denis