luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-08-20 07:38:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

gfileutils: Fix OOB read in g_build_path(name)_va

Browse Source 
If an array with more than INT_MAX elements is passed to functions
internally calling g_build_path_va or g_build_pathname_va, then a
signed integer overflow and eventual out of boundary read access can
occur.

Use size_t instead of gint for lengths and array sizes.
This commit is contained in:
Tobias Stoeckmann
2025-07-18 22:50:27 +02:00
parent 03664fe237
commit 23b70b0d36
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
glib/gfileutils.c
View File

@@ -1928,13 +1928,13 @@ g_build_path_va (const gchar *separator,
gchar **str_array) gchar **str_array)
{ {
GString *result; GString *result;
gint separator_len = strlen (separator); size_t separator_len = strlen (separator);
gboolean is_first = TRUE; gboolean is_first = TRUE;
gboolean have_leading = FALSE; gboolean have_leading = FALSE;
const gchar *single_element = NULL; const gchar *single_element = NULL;
const gchar *next_element; const gchar *next_element;
const gchar *last_trailing = NULL; const gchar *last_trailing = NULL;
gint i = 0; size_t i = 0;
result = g_string_new (NULL); result = g_string_new (NULL);
@@ -2122,7 +2122,7 @@ g_build_pathname_va (const gchar *first_element,
const gchar *next_element; const gchar *next_element;
const gchar *last_trailing = NULL; const gchar *last_trailing = NULL;
gchar current_separator = '\\'; gchar current_separator = '\\';
gint i = 0; size_t i = 0;
result = g_string_new (NULL); result = g_string_new (NULL);