From 1909d8ea9297287f1ff6862968608dcf06e60523 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Dec 2025 16:37:19 +0000 Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for byte strings The number of invalid characters in the byte string (characters which would have to be percent-encoded) was only stored in an `int`, which gave the possibility of a long string largely full of invalid characters overflowing this and allowing an attacker-controlled buffer size to be allocated. This could be triggered by an attacker controlled file attribute (of type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as `G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`, being read by user code. Spotted by Codean Labs. Signed-off-by: Philip Withnall Fixes: #3845 --- gio/gfileattribute.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c index c6fde60fa..d3083e5bd 100644 --- a/gio/gfileattribute.c +++ b/gio/gfileattribute.c @@ -22,6 +22,7 @@ #include "config.h" +#include #include #include "gfileattribute.h" @@ -166,11 +167,12 @@ valid_char (char c) return c >= 32 && c <= 126 && c != '\\'; } +/* Returns NULL on error */ static char * escape_byte_string (const char *str) { size_t i, len; - int num_invalid; + size_t num_invalid; char *escaped_val, *p; unsigned char c; const char hex_digits[] = "0123456789abcdef"; @@ -188,7 +190,12 @@ escape_byte_string (const char *str) return g_strdup (str); else { - escaped_val = g_malloc (len + num_invalid*3 + 1); + /* Check for overflow. We want to check the inequality: + * !(len + num_invalid * 3 + 1 > SIZE_MAX) */ + if (num_invalid >= (SIZE_MAX - len) / 3) + return NULL; + + escaped_val = g_malloc (len + num_invalid * 3 + 1); p = escaped_val; for (i = 0; i < len; i++)