Merge branch '3827-filename-to-uri-strings' into 'main'

gconvert: Error out if g_escape_uri_string() would overflow

Closes #3827

See merge request GNOME/glib!4914

fuzzing/fuzz_filename_from_uri.c

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  unsigned char *nul_terminated_data = NULL;
+  char *filename = NULL;
+  GError *local_error = NULL;
+
+  fuzz_set_logging_func ();
+
+  /* ignore @size (g_filename_from_uri() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+  filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error);
+  g_free (nul_terminated_data);
+
+  g_free (filename);
+  g_clear_error (&local_error);
+
+  return 0;
+}

fuzzing/fuzz_filename_to_uri.c

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  unsigned char *nul_terminated_data = NULL;
+  char *uri = NULL;
+  GError *local_error = NULL;
+
+  fuzz_set_logging_func ();
+
+  /* ignore @size (g_filename_to_uri() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+  uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error);
+  g_free (nul_terminated_data);
+
+  g_free (uri);
+  g_clear_error (&local_error);
+
+  return 0;
+}

fuzzing/meson.build

@@ -25,6 +25,8 @@ fuzz_targets = [
   'fuzz_date_parse',
   'fuzz_date_time_new_from_iso8601',
   'fuzz_dbus_message',
+  'fuzz_filename_from_uri',
+  'fuzz_filename_to_uri',
   'fuzz_get_locale_variants',
   'fuzz_inet_address_mask_new_from_string',
   'fuzz_inet_address_new_from_string',

glib/gconvert.c

@@ -1337,7 +1337,8 @@ static const gchar hex[] = "0123456789ABCDEF";
  * escape something else, please read RFC-2396 */
 static gchar *
 g_escape_uri_string (const gchar         *string,
-		     UnsafeCharacterSet mask)
+                     UnsafeCharacterSet   mask,
+                     GError             **error)
 {
 #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
 
@@ -1345,7 +1346,7 @@ g_escape_uri_string (const gchar *string,
   gchar *q;
   gchar *result;
   int c;
-  gint unacceptable;
+  size_t unacceptable;
   UnsafeCharacterSet use_mask;
   
   g_return_val_if_fail (mask == UNSAFE_ALL
@@ -1363,6 +1364,13 @@ g_escape_uri_string (const gchar *string,
 	unacceptable++;
     }
 
+  if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
+    {
+      g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
+                           _("The URI is too long"));
+      return NULL;
+    }
+
   result = g_malloc (p - string + unacceptable * 2 + 1);
   
   use_mask = mask;
@@ -1388,11 +1396,12 @@ g_escape_uri_string (const gchar *string,
 
 static gchar *
 g_escape_file_uri (const gchar  *hostname,
-		   const gchar *pathname)
+                   const gchar  *pathname,
+                   GError      **error)
 {
   char *escaped_hostname = NULL;
-  char *escaped_path;
+  char *escaped_path = NULL;
-  char *res;
+  char *res = NULL;
 
 #ifdef G_OS_WIN32
   char *p, *backslash;
@@ -1413,10 +1422,14 @@ g_escape_file_uri (const gchar *hostname,
 
   if (hostname && *hostname != '\0')
     {
-      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
+      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
+      if (escaped_hostname == NULL)
+        goto out;
     }
 
-  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
+  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
+  if (escaped_path == NULL)
+    goto out;
 
   res = g_strconcat ("file://",
 		     (escaped_hostname) ? escaped_hostname : "",
@@ -1424,6 +1437,7 @@ g_escape_file_uri (const gchar *hostname,
 		     escaped_path,
 		     NULL);
 
+out:
 #ifdef G_OS_WIN32
   g_free ((char *) pathname);
 #endif
@@ -1753,7 +1767,7 @@ g_filename_to_uri (const gchar *filename,
     hostname = NULL;
 #endif
 
-  escaped_uri = g_escape_file_uri (hostname, filename);
+  escaped_uri = g_escape_file_uri (hostname, filename, error);
 
   return escaped_uri;
 }