From 263ca69da80eab0a2b8e3308a562675a8c643988 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Fri, 18 Mar 2022 15:49:33 +0000
Subject: [PATCH] gthreadedresolver: Check header length when parsing response

Otherwise we could read off the end of an invalid response.

oss-fuzz#42538
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
---
 gio/gthreadedresolver.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/gio/gthreadedresolver.c b/gio/gthreadedresolver.c
index 48545d6ad..3caa9f36e 100644
--- a/gio/gthreadedresolver.c
+++ b/gio/gthreadedresolver.c
@@ -667,6 +667,7 @@ g_resolver_records_from_res_query (const gchar      *rrname,
   const HEADER *header;
   GList *records;
   GVariant *record;
+  gsize len_unsigned;
 
   if (len <= 0)
     {
@@ -689,11 +690,23 @@ g_resolver_records_from_res_query (const gchar      *rrname,
       return NULL;
     }
 
+  /* We know len ≥ 0 now. */
+  len_unsigned = (gsize) len;
+
+  if (len_unsigned < sizeof (HEADER))
+    {
+      g_set_error (error, G_RESOLVER_ERROR, G_RESOLVER_ERROR_INTERNAL,
+                   /* Translators: the first placeholder is a domain name, the
+                    * second is an error message */
+                   _("Error resolving “%s”: %s"), rrname, _("Malformed DNS packet"));
+      return NULL;
+    }
+
   records = NULL;
 
   header = (HEADER *)answer;
   p = answer + sizeof (HEADER);
-  end = answer + len;
+  end = answer + len_unsigned;
 
   /* Skip query */
   count = ntohs (header->qdcount);