luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-04-04 06:43:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add some overflow protection to g_string_chunk_insert_len()

Browse Source 
If the new string's length plus the existing storage's length is
overflowing a gsize, we would previously memcpy() the string over the
bounds of the previous allocation.

Similarly if the string's size was bigger than G_MAXSIZE / 2 we would've
previously allocated 0 bytes.

Now instead create a new allocation that fits the string.
This commit is contained in:
Sebastian Dröge 2021-11-25 14:25:24 +02:00
parent b5447e8e35
commit 72ca69e1db
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
glib/gstringchunk.c
View File

@ -270,10 +270,15 @@ g_string_chunk_insert_len (GStringChunk *chunk,
else else
size = (gsize) len; size = (gsize) len;
if ((chunk->storage_next + size + 1) > chunk->this_size) if ((G_MAXSIZE - chunk->storage_next < size + 1) || (chunk->storage_next + size + 1) > chunk->this_size)
{ {
gsize new_size = g_nearest_pow (MAX (chunk->default_size, size + 1)); gsize new_size = g_nearest_pow (MAX (chunk->default_size, size + 1));
/* If size is bigger than G_MAXSIZE / 2 then store it in its own
* allocation instead of failing here */
if (new_size == 0)
new_size = size + 1;
chunk->storage_list = g_slist_prepend (chunk->storage_list, chunk->storage_list = g_slist_prepend (chunk->storage_list,
g_new (gchar, new_size)); g_new (gchar, new_size));