From 2842e4a86f50816a8ae849309869f7bf3d0c580d Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 19 Sep 2024 17:49:10 +0100 Subject: [PATCH] =?UTF-8?q?gvariant-parser:=20Assert=20that=20pattern=20le?= =?UTF-8?q?ngths=20don=E2=80=99t=20overflow?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I can’t see it being possible for this to be hit in practice, as it would require two very long GVariant text format inputs, which would probably hit input limits earlier on somewhere else. But in order to avoid a silent integer overflow, let’s check that the addition won’t overflow before going ahead with it. Signed-off-by: Philip Withnall Helps: #3469 --- glib/gvariant-parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c index 822b46651..1a6697797 100644 --- a/glib/gvariant-parser.c +++ b/glib/gvariant-parser.c @@ -434,6 +434,7 @@ pattern_coalesce (const gchar *left, gchar *result; gchar *out; size_t buflen; + size_t left_len = strlen (left), right_len = strlen (right); /* the length of the output is loosely bound by the sum of the input * lengths, not simply the greater of the two lengths. @@ -445,7 +446,8 @@ pattern_coalesce (const gchar *left, * This can be proven by the fact that `out` is never incremented by more * bytes than are consumed from `left` or `right` in each iteration. */ - buflen = strlen (left) + strlen (right) + 1; + g_assert (left_len < G_MAXSIZE - right_len); + buflen = left_len + right_len + 1; out = result = g_malloc (buflen); while (*left && *right)