luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-03-28 02:20:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

gvariant-parser: Assert that pattern lengths don’t overflow

Browse Source 
I can’t see it being possible for this to be hit in practice, as it
would require two very long GVariant text format inputs, which would
probably hit input limits earlier on somewhere else.

But in order to avoid a silent integer overflow, let’s check that the
addition won’t overflow before going ahead with it.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #3469
This commit is contained in:
Philip Withnall 2024-09-19 17:49:10 +01:00
parent 785b61cfcb
commit 2842e4a86f
No known key found for this signature in database
GPG Key ID: DCDF5885B1F3ED73
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
glib/gvariant-parser.c
View File

@ -434,6 +434,7 @@ pattern_coalesce (const gchar *left,
gchar *result;
gchar *out;
size_t buflen;
size_t left_len = strlen (left), right_len = strlen (right);
/* the length of the output is loosely bound by the sum of the input
* lengths, not simply the greater of the two lengths.
@ -445,7 +446,8 @@ pattern_coalesce (const gchar *left,
* This can be proven by the fact that `out` is never incremented by more
* bytes than are consumed from `left` or `right` in each iteration.
*/
buflen = strlen (left) + strlen (right) + 1;
g_assert (left_len < G_MAXSIZE - right_len);
buflen = left_len + right_len + 1;
out = result = g_malloc (buflen);
while (*left && *right)