Add stricter overflow protection from GArray to g_ptr_array_maybe_expand() too

It might otherwise happen that the return value from g_nearest_pow()
does not fit into a guint, i.e. it might be G_MAXUINT + 1 if that fits
into a gsize.
This commit is contained in:
Sebastian Dröge 2021-11-25 14:11:29 +02:00
parent 5fcd2495f9
commit d01dc6d23a

View File

@ -1503,8 +1503,16 @@ static void
g_ptr_array_maybe_expand (GRealPtrArray *array,
guint len)
{
guint max_len;
/* The maximum array length is derived from following constraints:
* - The number of bytes must fit into a gsize / 2.
* - The number of elements must fit into guint.
*/
max_len = MIN (G_MAXSIZE / 2 / sizeof (gpointer), G_MAXUINT);
/* Detect potential overflow */
if G_UNLIKELY ((G_MAXUINT - array->len) < len)
if G_UNLIKELY ((max_len - array->len) < len)
g_error ("adding %u to array would overflow", len);
if ((array->len + len) > array->alloc)