From f8cf0b8672209e0b829542e194e302f1de169929 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:30:52 +0000 Subject: [PATCH 01/11] gstrfuncs: Add g_memdup2() function This will replace the existing `g_memdup()` function, which has an unavoidable security flaw of taking its `byte_size` argument as a `guint` rather than as a `gsize`. Most callers will expect it to be a `gsize`, and may pass in large values which could silently be truncated, resulting in an undersize allocation compared to what the caller expects. This could lead to a classic buffer overflow vulnerability for many callers of `g_memdup()`. `g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`. Spotted by Kevin Backhouse of GHSL. Signed-off-by: Philip Withnall Helps: GHSL-2021-045 Helps: #2319 --- docs/reference/glib/glib-sections.txt | 1 + glib/gstrfuncs.c | 32 +++++++++++++++++++++++++++ glib/gstrfuncs.h | 4 ++++ glib/tests/strfuncs.c | 21 ++++++++++++++++++ 4 files changed, 58 insertions(+) diff --git a/docs/reference/glib/glib-sections.txt b/docs/reference/glib/glib-sections.txt index d0121801a..2e219cf0c 100644 --- a/docs/reference/glib/glib-sections.txt +++ b/docs/reference/glib/glib-sections.txt @@ -1341,6 +1341,7 @@ g_newa g_memmove g_memdup +g_memdup2 GMemVTable diff --git a/glib/gstrfuncs.c b/glib/gstrfuncs.c index afedf4f78..9ee9459e7 100644 --- a/glib/gstrfuncs.c +++ b/glib/gstrfuncs.c @@ -398,6 +398,38 @@ g_memdup (gconstpointer mem, return new_mem; } +/** + * g_memdup2: + * @mem: (nullable): the memory to copy. + * @byte_size: the number of bytes to copy. + * + * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it + * from @mem. If @mem is %NULL it returns %NULL. + * + * This replaces g_memdup(), which was prone to integer overflows when + * converting the argument from a #gsize to a #guint. + * + * Returns: (nullable): a pointer to the newly-allocated copy of the memory, + * or %NULL if @mem is %NULL. + * Since: 2.68 + */ +gpointer +g_memdup2 (gconstpointer mem, + gsize byte_size) +{ + gpointer new_mem; + + if (mem && byte_size != 0) + { + new_mem = g_malloc (byte_size); + memcpy (new_mem, mem, byte_size); + } + else + new_mem = NULL; + + return new_mem; +} + /** * g_strndup: * @str: the string to duplicate diff --git a/glib/gstrfuncs.h b/glib/gstrfuncs.h index fc88cc1c5..47cdb0adb 100644 --- a/glib/gstrfuncs.h +++ b/glib/gstrfuncs.h @@ -257,6 +257,10 @@ GLIB_AVAILABLE_IN_ALL gpointer g_memdup (gconstpointer mem, guint byte_size) G_GNUC_ALLOC_SIZE(2); +GLIB_AVAILABLE_IN_2_68 +gpointer g_memdup2 (gconstpointer mem, + gsize byte_size) G_GNUC_ALLOC_SIZE(2); + /* NULL terminated string arrays. * g_strsplit(), g_strsplit_set() split up string into max_tokens tokens * at delim and return a newly allocated string array. diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c index 37cbc5a8a..d6eaee385 100644 --- a/glib/tests/strfuncs.c +++ b/glib/tests/strfuncs.c @@ -221,6 +221,26 @@ test_memdup (void) g_free (str_dup); } +/* Testing g_memdup2() function with various positive and negative cases */ +static void +test_memdup2 (void) +{ + gchar *str_dup = NULL; + const gchar *str = "The quick brown fox jumps over the lazy dog"; + + /* Testing negative cases */ + g_assert_null (g_memdup2 (NULL, 1024)); + g_assert_null (g_memdup2 (str, 0)); + g_assert_null (g_memdup2 (NULL, 0)); + + /* Testing normal usage cases */ + str_dup = g_memdup2 (str, strlen (str) + 1); + g_assert_nonnull (str_dup); + g_assert_cmpstr (str, ==, str_dup); + + g_free (str_dup); +} + /* Testing g_strpcpy() function with various positive and negative cases */ static void test_stpcpy (void) @@ -2539,6 +2559,7 @@ main (int argc, g_test_add_func ("/strfuncs/has-prefix", test_has_prefix); g_test_add_func ("/strfuncs/has-suffix", test_has_suffix); g_test_add_func ("/strfuncs/memdup", test_memdup); + g_test_add_func ("/strfuncs/memdup2", test_memdup2); g_test_add_func ("/strfuncs/stpcpy", test_stpcpy); g_test_add_func ("/strfuncs/str_match_string", test_str_match_string); g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold); From 73b293fd301ced3e8a3f8c62df2ebd0147210180 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:37:56 +0000 Subject: [PATCH 02/11] gio: Use g_memdup2() instead of g_memdup() in obvious places MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all the call sites which use `g_memdup()`’s length argument trivially (for example, by passing a `sizeof()`), so that they use `g_memdup2()` instead. In almost all of these cases the use of `g_memdup()` would not have caused problems, but it will soon be deprecated, so best port away from it. Signed-off-by: Philip Withnall Helps: #2319 --- gio/gdbusconnection.c | 4 ++-- gio/gdbusinterfaceskeleton.c | 2 +- gio/gfile.c | 6 +++--- gio/gsettingsschema.c | 4 ++-- gio/gwin32registrykey.c | 6 +++--- gio/tests/async-close-output-stream.c | 4 ++-- gio/tests/gdbus-export.c | 4 ++-- gio/win32/gwinhttpfile.c | 8 ++++---- 8 files changed, 19 insertions(+), 19 deletions(-) diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c index 776289340..520a9eca2 100644 --- a/gio/gdbusconnection.c +++ b/gio/gdbusconnection.c @@ -4016,7 +4016,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable) /* Don't waste memory by copying padding - remember to update this * when changing struct _GDBusInterfaceVTable in gdbusconnection.h */ - return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); + return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); } static void @@ -4033,7 +4033,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable) /* Don't waste memory by copying padding - remember to update this * when changing struct _GDBusSubtreeVTable in gdbusconnection.h */ - return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); + return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); } static void diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c index 76398df36..878c14599 100644 --- a/gio/gdbusinterfaceskeleton.c +++ b/gio/gdbusinterfaceskeleton.c @@ -702,7 +702,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_, * properly before building the hooked_vtable, so we create it * once at the last minute. */ - interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); + interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; } diff --git a/gio/gfile.c b/gio/gfile.c index ca6456544..1f2a3e850 100644 --- a/gio/gfile.c +++ b/gio/gfile.c @@ -7903,7 +7903,7 @@ measure_disk_usage_progress (gboolean reporting, g_main_context_invoke_full (g_task_get_context (task), g_task_get_priority (task), measure_disk_usage_invoke_progress, - g_memdup (&progress, sizeof progress), + g_memdup2 (&progress, sizeof progress), g_free); } @@ -7921,7 +7921,7 @@ measure_disk_usage_thread (GTask *task, data->progress_callback ? measure_disk_usage_progress : NULL, task, &result.disk_usage, &result.num_dirs, &result.num_files, &error)) - g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); + g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); else g_task_return_error (task, error); } @@ -7945,7 +7945,7 @@ g_file_real_measure_disk_usage_async (GFile *file, task = g_task_new (file, cancellable, callback, user_data); g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); - g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); + g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); g_task_set_priority (task, io_priority); g_task_run_in_thread (task, measure_disk_usage_thread); diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c index 26b9a65ad..ed2a7a560 100644 --- a/gio/gsettingsschema.c +++ b/gio/gsettingsschema.c @@ -1071,9 +1071,9 @@ g_settings_schema_list_children (GSettingsSchema *schema) if (g_str_has_suffix (key, "/")) { - gint length = strlen (key); + gsize length = strlen (key); - strv[j] = g_memdup (key, length); + strv[j] = g_memdup2 (key, length); strv[j][length - 1] = '\0'; j++; } diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c index 29895217d..57ad1a318 100644 --- a/gio/gwin32registrykey.c +++ b/gio/gwin32registrykey.c @@ -247,7 +247,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) new_iter->value_name_size = iter->value_name_size; if (iter->value_data != NULL) - new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); + new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); new_iter->value_data_size = iter->value_data_size; @@ -268,8 +268,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; if (iter->value_data_expanded_u8 != NULL) - new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, - iter->value_data_expanded_charsize); + new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, + iter->value_data_expanded_charsize); new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c index 5f6620275..00e068766 100644 --- a/gio/tests/async-close-output-stream.c +++ b/gio/tests/async-close-output-stream.c @@ -147,9 +147,9 @@ prepare_data (SetupData *data, data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); - g_assert_cmpint (data->expected_size, >, 0); + g_assert_cmpuint (data->expected_size, >, 0); - data->expected_output = g_memdup (written, (guint)data->expected_size); + data->expected_output = g_memdup2 (written, data->expected_size); /* then recreate the streams and prepare them for the asynchronous close */ destroy_streams (data); diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c index ba5388600..61d47e90a 100644 --- a/gio/tests/gdbus-export.c +++ b/gio/tests/gdbus-export.c @@ -671,7 +671,7 @@ subtree_introspect (GDBusConnection *connection, g_assert_not_reached (); } - return g_memdup (interfaces, 2 * sizeof (void *)); + return g_memdup2 (interfaces, 2 * sizeof (void *)); } static const GDBusInterfaceVTable * @@ -727,7 +727,7 @@ dynamic_subtree_introspect (GDBusConnection *connection, { const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; - return g_memdup (interfaces, 2 * sizeof (void *)); + return g_memdup2 (interfaces, 2 * sizeof (void *)); } static const GDBusInterfaceVTable * diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c index 509cdeb33..be26dd3b5 100644 --- a/gio/win32/gwinhttpfile.c +++ b/gio/win32/gwinhttpfile.c @@ -409,10 +409,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); child->vfs = winhttp_file->vfs; child->url = winhttp_file->url; - child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); - child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); - child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); - child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); + child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); + child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); + child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); child->url.lpszUrlPath = wnew_path; child->url.dwUrlPathLength = wcslen (wnew_path); child->url.lpszExtraInfo = NULL; From f10101b90917b0c6a171d0aa32210abc74818ebb Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:39:25 +0000 Subject: [PATCH 03/11] gobject: Use g_memdup2() instead of g_memdup() in obvious places MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all the call sites which use `g_memdup()`’s length argument trivially (for example, by passing a `sizeof()`), so that they use `g_memdup2()` instead. In almost all of these cases the use of `g_memdup()` would not have caused problems, but it will soon be deprecated, so best port away from it. Signed-off-by: Philip Withnall Helps: #2319 --- gobject/gsignal.c | 2 +- gobject/gtype.c | 8 ++++---- gobject/gtypemodule.c | 2 +- gobject/tests/param.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/gobject/gsignal.c b/gobject/gsignal.c index 726185b95..8e10f40d2 100644 --- a/gobject/gsignal.c +++ b/gobject/gsignal.c @@ -1797,7 +1797,7 @@ g_signal_newv (const gchar *signal_name, node->single_va_closure_is_valid = FALSE; node->flags = signal_flags & G_SIGNAL_FLAGS_MASK; node->n_params = n_params; - node->param_types = g_memdup (param_types, sizeof (GType) * n_params); + node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params); node->return_type = return_type; node->class_closure_bsa = NULL; if (accumulator) diff --git a/gobject/gtype.c b/gobject/gtype.c index 0c530ec9b..94e23b814 100644 --- a/gobject/gtype.c +++ b/gobject/gtype.c @@ -1476,7 +1476,7 @@ type_add_interface_Wm (TypeNode *node, iholder->next = iface_node_get_holders_L (iface); iface_node_set_holders_W (iface, iholder); iholder->instance_type = NODE_TYPE (node); - iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL; + iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL; iholder->plugin = plugin; /* create an iface entry for this type */ @@ -1785,7 +1785,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface, INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface)); check_interface_info_I (iface, instance_type, &tmp_info); - iholder->info = g_memdup (&tmp_info, sizeof (tmp_info)); + iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info)); } return iholder; /* we don't modify write lock upon returning NULL */ @@ -2070,10 +2070,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface, IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface); if (pentry) - vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size); + vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size); } if (!vtable) - vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); + vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); entry->vtable = vtable; vtable->g_type = NODE_TYPE (iface); vtable->g_instance_type = NODE_TYPE (node); diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c index dcbd73467..014b5fc3c 100644 --- a/gobject/gtypemodule.c +++ b/gobject/gtypemodule.c @@ -437,7 +437,7 @@ g_type_module_register_type (GTypeModule *module, module_type_info->loaded = TRUE; module_type_info->info = *type_info; if (type_info->value_table) - module_type_info->info.value_table = g_memdup (type_info->value_table, + module_type_info->info.value_table = g_memdup2 (type_info->value_table, sizeof (GTypeValueTable)); return module_type_info->type; diff --git a/gobject/tests/param.c b/gobject/tests/param.c index 1bfdaff87..3ab87ef77 100644 --- a/gobject/tests/param.c +++ b/gobject/tests/param.c @@ -903,7 +903,7 @@ main (int argc, char *argv[]) test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d", data.change_this_flag, data.change_this_type, data.use_this_flag, data.use_this_type); - test_data = g_memdup (&data, sizeof (TestParamImplementData)); + test_data = g_memdup2 (&data, sizeof (TestParamImplementData)); g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free); g_free (test_path); } From 19470722b370f65596d2b0628e2a39fe494fb560 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:41:21 +0000 Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in obvious places MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all the call sites which use `g_memdup()`’s length argument trivially (for example, by passing a `sizeof()` or an existing `gsize` variable), so that they use `g_memdup2()` instead. In almost all of these cases the use of `g_memdup()` would not have caused problems, but it will soon be deprecated, so best port away from it In particular, this fixes an overflow within `g_bytes_new()`, identified as GHSL-2021-045 by GHSL team member Kevin Backhouse. Signed-off-by: Philip Withnall Fixes: GHSL-2021-045 Helps: #2319 --- glib/gbytes.c | 4 ++-- glib/gdir.c | 2 +- glib/ghash.c | 6 +++--- glib/giochannel.c | 4 ++-- glib/gslice.c | 2 +- glib/gtestutils.c | 2 +- glib/gvariant.c | 6 +++--- glib/gvarianttype.c | 2 +- glib/tests/array-test.c | 2 +- glib/tests/option-context.c | 4 ++-- glib/tests/uri.c | 6 +++--- 11 files changed, 20 insertions(+), 20 deletions(-) diff --git a/glib/gbytes.c b/glib/gbytes.c index ec6923188..00fd79155 100644 --- a/glib/gbytes.c +++ b/glib/gbytes.c @@ -95,7 +95,7 @@ g_bytes_new (gconstpointer data, { g_return_val_if_fail (data != NULL || size == 0, NULL); - return g_bytes_new_take (g_memdup (data, size), size); + return g_bytes_new_take (g_memdup2 (data, size), size); } /** @@ -499,7 +499,7 @@ g_bytes_unref_to_data (GBytes *bytes, * Copy: Non g_malloc (or compatible) allocator, or static memory, * so we have to copy, and then unref. */ - result = g_memdup (bytes->data, bytes->size); + result = g_memdup2 (bytes->data, bytes->size); *size = bytes->size; g_bytes_unref (bytes); } diff --git a/glib/gdir.c b/glib/gdir.c index 6b85e99c8..c26edc1dc 100644 --- a/glib/gdir.c +++ b/glib/gdir.c @@ -112,7 +112,7 @@ g_dir_open_with_errno (const gchar *path, return NULL; #endif - return g_memdup (&dir, sizeof dir); + return g_memdup2 (&dir, sizeof dir); } /** diff --git a/glib/ghash.c b/glib/ghash.c index f3ed0f3b9..cc2d00087 100644 --- a/glib/ghash.c +++ b/glib/ghash.c @@ -962,7 +962,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer if (hash_table->have_big_keys) { if (key != value) - hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); + hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); /* Keys and values are both big now, so no need for further checks */ return; } @@ -970,7 +970,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer { if (key != value) { - hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size); + hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size); is_a_set = FALSE; } } @@ -998,7 +998,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer /* Just split if necessary */ if (is_a_set && key != value) - hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); + hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); #endif } diff --git a/glib/giochannel.c b/glib/giochannel.c index d977b769e..63d7e0314 100644 --- a/glib/giochannel.c +++ b/glib/giochannel.c @@ -1673,10 +1673,10 @@ g_io_channel_read_line (GIOChannel *channel, /* Copy the read bytes (including any embedded nuls) and nul-terminate. * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a - * #GString, so it’s safe to call g_memdup() with +1 length to allocate + * #GString, so it’s safe to call g_memdup2() with +1 length to allocate * a nul-terminator. */ g_assert (USE_BUF (channel)); - line = g_memdup (USE_BUF (channel)->str, got_length + 1); + line = g_memdup2 (USE_BUF (channel)->str, got_length + 1); line[got_length] = '\0'; *str_return = g_steal_pointer (&line); g_string_erase (USE_BUF (channel), 0, got_length); diff --git a/glib/gslice.c b/glib/gslice.c index 589619080..d6335c9dd 100644 --- a/glib/gslice.c +++ b/glib/gslice.c @@ -351,7 +351,7 @@ g_slice_get_config_state (GSliceConfig ckey, array[i++] = allocator->contention_counters[address]; array[i++] = allocator_get_magazine_threshold (allocator, address); *n_values = i; - return g_memdup (array, sizeof (array[0]) * *n_values); + return g_memdup2 (array, sizeof (array[0]) * *n_values); default: return NULL; } diff --git a/glib/gtestutils.c b/glib/gtestutils.c index 5660fc8be..d24c6e186 100644 --- a/glib/gtestutils.c +++ b/glib/gtestutils.c @@ -3966,7 +3966,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer) if (p <= tbuffer->data->str + mlength) { g_string_erase (tbuffer->data, 0, mlength); - tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); + tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); return TRUE; } diff --git a/glib/gvariant.c b/glib/gvariant.c index 5584614c6..e48dec1ad 100644 --- a/glib/gvariant.c +++ b/glib/gvariant.c @@ -725,7 +725,7 @@ g_variant_new_variant (GVariant *value) g_variant_ref_sink (value); return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, - g_memdup (&value, sizeof value), + g_memdup2 (&value, sizeof value), 1, g_variant_is_trusted (value)); } @@ -1229,7 +1229,7 @@ g_variant_new_fixed_array (const GVariantType *element_type, return NULL; } - data = g_memdup (elements, n_elements * element_size); + data = g_memdup2 (elements, n_elements * element_size); value = g_variant_new_from_data (array_type, data, n_elements * element_size, FALSE, g_free, data); @@ -1912,7 +1912,7 @@ g_variant_dup_bytestring (GVariant *value, if (length) *length = size; - return g_memdup (original, size + 1); + return g_memdup2 (original, size + 1); } /** diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c index 831fed4bf..cc97235f3 100644 --- a/glib/gvarianttype.c +++ b/glib/gvarianttype.c @@ -1181,7 +1181,7 @@ g_variant_type_new_tuple (const GVariantType * const *items, g_assert (offset < sizeof buffer); buffer[offset++] = ')'; - return (GVariantType *) g_memdup (buffer, offset); + return (GVariantType *) g_memdup2 (buffer, offset); } /** diff --git a/glib/tests/array-test.c b/glib/tests/array-test.c index adedfc19f..fef63f672 100644 --- a/glib/tests/array-test.c +++ b/glib/tests/array-test.c @@ -1933,7 +1933,7 @@ byte_array_new_take (void) GByteArray *gbarray; guint8 *data; - data = g_memdup ("woooweeewow", 11); + data = g_memdup2 ("woooweeewow", 11); gbarray = g_byte_array_new_take (data, 11); g_assert (gbarray->data == data); g_assert_cmpuint (gbarray->len, ==, 11); diff --git a/glib/tests/option-context.c b/glib/tests/option-context.c index ec66e6f94..042b130af 100644 --- a/glib/tests/option-context.c +++ b/glib/tests/option-context.c @@ -257,7 +257,7 @@ join_stringv (int argc, char **argv) static char ** copy_stringv (char **argv, int argc) { - return g_memdup (argv, sizeof (char *) * (argc + 1)); + return g_memdup2 (argv, sizeof (char *) * (argc + 1)); } static void @@ -2324,7 +2324,7 @@ test_group_parse (void) g_option_context_add_group (context, group); argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc); - orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *)); + orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *)); retval = g_option_context_parse (context, &argc, &argv, &error); diff --git a/glib/tests/uri.c b/glib/tests/uri.c index 2c610382b..1f3209f97 100644 --- a/glib/tests/uri.c +++ b/glib/tests/uri.c @@ -410,7 +410,7 @@ test_uri_unescape_bytes (gconstpointer test_data) else { escaped_len = strlen (tests[i].escaped); /* no trailing nul */ - escaped = g_memdup (tests[i].escaped, escaped_len); + escaped = g_memdup2 (tests[i].escaped, escaped_len); } bytes = g_uri_unescape_bytes (escaped, escaped_len, tests[i].illegal, &error); @@ -1591,7 +1591,7 @@ test_uri_iter_params (gconstpointer test_data) else { uri_len = strlen (params_tests[i].uri); /* no trailing nul */ - uri = g_memdup (params_tests[i].uri, uri_len); + uri = g_memdup2 (params_tests[i].uri, uri_len); } /* Run once without extracting the attr or value, just to check the numbers. */ @@ -1658,7 +1658,7 @@ test_uri_parse_params (gconstpointer test_data) else { uri_len = strlen (params_tests[i].uri); /* no trailing nul */ - uri = g_memdup (params_tests[i].uri, uri_len); + uri = g_memdup2 (params_tests[i].uri, uri_len); } params = g_uri_parse_params (uri, uri_len, params_tests[i].separators, params_tests[i].flags, &err); From 81a454237dc210c0d476c5f635426d3cebb3abfc Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 16:12:24 +0000 Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when calculating a size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e. 32-bit unsigned integers. Adding to and multiplying them may cause them to overflow the unsigned integer bounds, even if the result is passed to `g_memdup2()` which accepts a `gsize`. Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the arithmetic is done in terms of `gsize`s rather than unsigned integers. Spotted by Sebastian Dröge. Signed-off-by: Philip Withnall Helps: #2319 --- gio/win32/gwinhttpfile.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c index be26dd3b5..5b8dcfe0b 100644 --- a/gio/win32/gwinhttpfile.c +++ b/gio/win32/gwinhttpfile.c @@ -409,10 +409,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); child->vfs = winhttp_file->vfs; child->url = winhttp_file->url; - child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); - child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); - child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); - child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); + child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); + child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); + child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); child->url.lpszUrlPath = wnew_path; child->url.dwUrlPathLength = wcslen (wnew_path); child->url.lpszExtraInfo = NULL; From 41d5eedad4f2eeeea28705b9887254a28f7ae138 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:49:00 +0000 Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len internally as gsize Previously it was handled as a `gssize`, which meant that if the `stop_chars` string was longer than `G_MAXSSIZE` there would be an overflow. Signed-off-by: Philip Withnall Helps: #2319 --- gio/gdatainputstream.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c index 676c6ae22..edbead103 100644 --- a/gio/gdatainputstream.c +++ b/gio/gdatainputstream.c @@ -856,7 +856,7 @@ static gssize scan_for_chars (GDataInputStream *stream, gsize *checked_out, const char *stop_chars, - gssize stop_chars_len) + gsize stop_chars_len) { GBufferedInputStream *bstream; const char *buffer; @@ -952,7 +952,7 @@ typedef struct gsize checked; gchar *stop_chars; - gssize stop_chars_len; + gsize stop_chars_len; gsize length; } GDataInputStreamReadData; @@ -1078,12 +1078,17 @@ g_data_input_stream_read_async (GDataInputStream *stream, { GDataInputStreamReadData *data; GTask *task; + gsize stop_chars_len_unsigned; data = g_slice_new0 (GDataInputStreamReadData); - if (stop_chars_len == -1) - stop_chars_len = strlen (stop_chars); - data->stop_chars = g_memdup (stop_chars, stop_chars_len); - data->stop_chars_len = stop_chars_len; + + if (stop_chars_len < 0) + stop_chars_len_unsigned = strlen (stop_chars); + else + stop_chars_len_unsigned = (gsize) stop_chars_len; + + data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned); + data->stop_chars_len = stop_chars_len_unsigned; data->last_saw_cr = FALSE; task = g_task_new (stream, cancellable, callback, user_data); @@ -1338,17 +1343,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream, gssize found_pos; gssize res; char *data_until; + gsize stop_chars_len_unsigned; g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL); if (stop_chars_len < 0) - stop_chars_len = strlen (stop_chars); + stop_chars_len_unsigned = strlen (stop_chars); + else + stop_chars_len_unsigned = (gsize) stop_chars_len; bstream = G_BUFFERED_INPUT_STREAM (stream); checked = 0; - while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1) + while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1) { if (g_buffered_input_stream_get_available (bstream) == g_buffered_input_stream_get_buffer_size (bstream)) From 9acebef777f4a669819155d844f5dd75a38fdbc8 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:50:37 +0000 Subject: [PATCH 07/11] gwin32: Use gsize internally in g_wcsdup() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allows it to handle strings up to length `G_MAXSIZE` — previously it would overflow with such strings. Update the several copies of it identically. Signed-off-by: Philip Withnall Helps: #2319 --- gio/giowin32-private.c | 19 +++++++++++-------- gio/gwin32packageparser.c | 19 +++++++++++-------- gio/gwin32registrykey.c | 36 +++++++++++++++++++++++++++--------- 3 files changed, 49 insertions(+), 25 deletions(-) diff --git a/gio/giowin32-private.c b/gio/giowin32-private.c index 7120ae0ea..6e1926daa 100644 --- a/gio/giowin32-private.c +++ b/gio/giowin32-private.c @@ -17,10 +17,10 @@ */ -static gssize +static gsize g_utf16_len (const gunichar2 *str) { - gssize result; + gsize result; for (result = 0; str[0] != 0; str++, result++) ; @@ -31,17 +31,20 @@ g_utf16_len (const gunichar2 *str) static gunichar2 * g_wcsdup (const gunichar2 *str, gssize str_len) { - gssize str_size; + gsize str_len_unsigned; + gsize str_size; g_return_val_if_fail (str != NULL, NULL); - if (str_len == -1) - str_len = g_utf16_len (str); + if (str_len < 0) + str_len_unsigned = g_utf16_len (str); + else + str_len_unsigned = (gsize) str_len; - g_assert (str_len <= G_MAXSIZE / sizeof (gunichar2) - 1); - str_size = (str_len + 1) * sizeof (gunichar2); + g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); + str_size = (str_len_unsigned + 1) * sizeof (gunichar2); - return g_memdup (str, str_size); + return g_memdup2 (str, str_size); } static const gunichar2 * diff --git a/gio/gwin32packageparser.c b/gio/gwin32packageparser.c index 745f1f522..ad5302270 100755 --- a/gio/gwin32packageparser.c +++ b/gio/gwin32packageparser.c @@ -62,10 +62,10 @@ typedef HRESULT (STDAPICALLTYPE *CreateXmlReader_func)(REFIID riid, void **ppvOb #define sax_CreateXmlReader sax->CreateXmlReader #endif -static gssize +static gsize g_utf16_len (const gunichar2 *str) { - gssize result; + gsize result; for (result = 0; str[0] != 0; str++, result++) ; @@ -76,17 +76,20 @@ g_utf16_len (const gunichar2 *str) static gunichar2 * g_wcsdup (const gunichar2 *str, gssize str_len) { - gssize str_size; + gsize str_len_unsigned; + gsize str_size; g_return_val_if_fail (str != NULL, NULL); - if (str_len == -1) - str_len = g_utf16_len (str); + if (str_len < 0) + str_len_unsigned = g_utf16_len (str); + else + str_len_unsigned = (gsize) str_len; - g_assert (str_len <= G_MAXSIZE / sizeof (gunichar2) - 1); - str_size = (str_len + 1) * sizeof (gunichar2); + g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); + str_size = (str_len_unsigned + 1) * sizeof (gunichar2); - return g_memdup (str, str_size); + return g_memdup2 (str, str_size); } static BOOL diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c index 57ad1a318..398d8f45b 100644 --- a/gio/gwin32registrykey.c +++ b/gio/gwin32registrykey.c @@ -125,16 +125,34 @@ typedef enum G_WIN32_REGISTRY_UPDATED_PATH = 1, } GWin32RegistryKeyUpdateFlag; -static gunichar2 * -g_wcsdup (const gunichar2 *str, - gssize str_size) +static gsize +g_utf16_len (const gunichar2 *str) { - if (str_size == -1) - { - str_size = wcslen (str) + 1; - str_size *= sizeof (gunichar2); - } - return g_memdup (str, str_size); + gsize result; + + for (result = 0; str[0] != 0; str++, result++) + ; + + return result; +} + +static gunichar2 * +g_wcsdup (const gunichar2 *str, gssize str_len) +{ + gsize str_len_unsigned; + gsize str_size; + + g_return_val_if_fail (str != NULL, NULL); + + if (str_len < 0) + str_len_unsigned = g_utf16_len (str); + else + str_len_unsigned = (gsize) str_len; + + g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); + str_size = (str_len_unsigned + 1) * sizeof (gunichar2); + + return g_memdup2 (str, str_size); } /** From 7781a9cbd2fd0aa84bee0f4eee88470640ff6706 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:58:32 +0000 Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when converting paths Previously, the code in `convert_path()` could not handle keys longer than `G_MAXINT`, and would overflow if that was exceeded. Convert the code to use `gsize` and `g_memdup2()` throughout, and change from identifying the position of the final slash in the string using a signed offset `i`, to using a pointer to the character (and `strrchr()`). This allows the slash to be at any position in a `G_MAXSIZE`-long string, without sacrificing a bit of the offset for indicating whether a slash was found. Signed-off-by: Philip Withnall Helps: #2319 --- gio/gkeyfilesettingsbackend.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c index 60f0cc921..793eed02a 100644 --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -149,8 +149,8 @@ convert_path (GKeyfileSettingsBackend *kfsb, gchar **group, gchar **basename) { - gint key_len = strlen (key); - gint i; + gsize key_len = strlen (key); + const gchar *last_slash; if (key_len < kfsb->prefix_len || memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0) @@ -159,38 +159,36 @@ convert_path (GKeyfileSettingsBackend *kfsb, key_len -= kfsb->prefix_len; key += kfsb->prefix_len; - for (i = key_len; i >= 0; i--) - if (key[i] == '/') - break; + last_slash = strrchr (key, '/'); if (kfsb->root_group) { /* if a root_group was specified, make sure the user hasn't given * a path that ghosts that group name */ - if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0) + if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0) return FALSE; } else { /* if no root_group was given, ensure that the user gave a path */ - if (i == -1) + if (last_slash == NULL) return FALSE; } if (group) { - if (i >= 0) + if (last_slash != NULL) { - *group = g_memdup (key, i + 1); - (*group)[i] = '\0'; + *group = g_memdup2 (key, (last_slash - key) + 1); + (*group)[(last_slash - key)] = '\0'; } else *group = g_strdup (kfsb->root_group); } if (basename) - *basename = g_memdup (key + i + 1, key_len - i); + *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); return TRUE; } From a2e38fd28e880b63513b8cdb28dfc7cd779ce6cb Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 14:00:53 +0000 Subject: [PATCH 09/11] =?UTF-8?q?gsocket:=20Use=20gsize=20to=20track=20nat?= =?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don’t use an `int`, that’s potentially too small. In practical terms, this is not a problem, since no socket address is going to be that big. By making these changes we can use `g_memdup2()` without warnings, though. Fewer warnings is good. Signed-off-by: Philip Withnall Helps: #2319 --- gio/gsocket.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/gio/gsocket.c b/gio/gsocket.c index a4f363f25..a7ba27d0c 100644 --- a/gio/gsocket.c +++ b/gio/gsocket.c @@ -169,7 +169,7 @@ static gboolean g_socket_datagram_based_condition_wait (GDatagramBased GError **error); static GSocketAddress * -cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len); +cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len); static gssize g_socket_receive_message_with_timeout (GSocket *socket, @@ -255,7 +255,7 @@ struct _GSocketPrivate struct { GSocketAddress *addr; struct sockaddr *native; - gint native_len; + gsize native_len; guint64 last_used; } recv_addr_cache[RECV_ADDR_CACHE_SIZE]; }; @@ -5339,14 +5339,14 @@ g_socket_send_messages_with_timeout (GSocket *socket, } static GSocketAddress * -cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) +cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len) { GSocketAddress *saddr; gint i; guint64 oldest_time = G_MAXUINT64; gint oldest_index = 0; - if (native_len <= 0) + if (native_len == 0) return NULL; saddr = NULL; @@ -5354,7 +5354,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) { GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr; gpointer tmp_native = socket->priv->recv_addr_cache[i].native; - gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len; + gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len; if (!tmp) continue; @@ -5384,7 +5384,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) g_free (socket->priv->recv_addr_cache[oldest_index].native); } - socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len); + socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len); socket->priv->recv_addr_cache[oldest_index].native_len = native_len; socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr); socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time (); @@ -5532,6 +5532,9 @@ g_socket_receive_message_with_timeout (GSocket *socket, /* do it */ while (1) { + /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */ + G_STATIC_ASSERT (sizeof addr <= G_MAXINT); + addrlen = sizeof addr; if (address) result = WSARecvFrom (socket->priv->fd, From a8b204ff9df49df5ad14005abc0ed39b1d09c408 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 14:07:39 +0000 Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The public API `g_tls_password_set_value_full()` (and the vfunc it invokes) can only accept a `gssize` length. Ensure that nul-terminated strings passed to `g_tls_password_set_value()` can’t exceed that length. Use `g_memdup2()` to avoid an overflow if they’re longer than `G_MAXUINT` similarly. Signed-off-by: Philip Withnall Helps: #2319 --- gio/gtlspassword.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c index 1e437a7b6..f5e02a1a8 100644 --- a/gio/gtlspassword.c +++ b/gio/gtlspassword.c @@ -287,9 +287,14 @@ g_tls_password_set_value (GTlsPassword *password, g_return_if_fail (G_IS_TLS_PASSWORD (password)); if (length < 0) - length = strlen ((gchar *)value); + { + /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ + gsize length_unsigned = strlen ((gchar *) value); + g_return_if_fail (length_unsigned > G_MAXSSIZE); + length = (gssize) length_unsigned; + } - g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free); + g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free); } /** From 0cc11f745e43ebeec340917b8cbc69d4c9f4ed58 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 14:09:40 +0000 Subject: [PATCH 11/11] giochannel: Forbid very long line terminator strings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that nul-terminated strings passed to `g_io_channel_set_line_term()` can’t exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()` is due to be deprecated), but not to avoid a bug, since it’s also limited to `G_MAXUINT`. Signed-off-by: Philip Withnall Helps: #2319 --- glib/giochannel.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/glib/giochannel.c b/glib/giochannel.c index 63d7e0314..4c5e081ed 100644 --- a/glib/giochannel.c +++ b/glib/giochannel.c @@ -886,16 +886,25 @@ g_io_channel_set_line_term (GIOChannel *channel, const gchar *line_term, gint length) { + guint length_unsigned; + g_return_if_fail (channel != NULL); g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */ if (line_term == NULL) - length = 0; - else if (length < 0) - length = strlen (line_term); + length_unsigned = 0; + else if (length >= 0) + length_unsigned = (guint) length; + else + { + /* FIXME: We’re constrained by line_term_len being a guint here */ + gsize length_size = strlen (line_term); + g_return_if_fail (length_size > G_MAXUINT); + length_unsigned = (guint) length_size; + } g_free (channel->line_term); - channel->line_term = line_term ? g_memdup (line_term, length) : NULL; + channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; channel->line_term_len = length; }