pool/glib2
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity
Files
factory
glib2/glib2-CVE-2026-1484.patch

94 lines
2.5 KiB
Diff
Raw Permalink Blame History

From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001
From: Marco Trevisan <mail@3v1n0.net>
Date: Fri, 23 Jan 2026 18:48:30 +0100
Subject: [PATCH 1/2] gbase64: Use gsize to prevent potential overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Both g_base64_encode_step() and g_base64_encode_close() return gsize
values, but these are summed to an int value.
If the sum of these returned values is bigger than MAXINT, we overflow
while doing the null byte write.
Spotted by treeplus.
Thanks to the Sovereign Tech Resilience programme from the Sovereign
Tech Agency.
ID: #YWH-PGM9867-168
Closes: #3870
(cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2)
Co-authored-by: Marco Trevisan (Treviño) <mail@3v1n0.net>
---
glib/gbase64.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/glib/gbase64.c b/glib/gbase64.c
index 2ea4a4ef44..214b489117 100644
--- a/glib/gbase64.c
+++ b/glib/gbase64.c
@@ -240,8 +240,9 @@ g_base64_encode (const guchar *data,
gsize len)
{
gchar *out;
- gint state = 0, outlen;
+ gint state = 0;
gint save = 0;
+ gsize outlen;
g_return_val_if_fail (data != NULL || len == 0, NULL);
--
GitLab
From 25429bd0b22222d6986d000d62b44eebf490837d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Wed, 21 Jan 2026 20:09:44 +0100
Subject: [PATCH 2/2] gbase64: Ensure that the out value is within allocated
size
We do not want to deference or write to it
Related to: #3870
---
glib/gbase64.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/glib/gbase64.c b/glib/gbase64.c
index 214b489117..0141b3b072 100644
--- a/glib/gbase64.c
+++ b/glib/gbase64.c
@@ -243,6 +243,7 @@ g_base64_encode (const guchar *data,
gint state = 0;
gint save = 0;
gsize outlen;
+ gsize allocsize;
g_return_val_if_fail (data != NULL || len == 0, NULL);
@@ -250,10 +251,15 @@ g_base64_encode (const guchar *data,
+1 is needed for trailing \0, also check for unlikely integer overflow */
g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL);
- out = g_malloc ((len / 3 + 1) * 4 + 1);
+ allocsize = (len / 3 + 1) * 4 + 1;
+ out = g_malloc (allocsize);
outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
+ g_assert (outlen <= allocsize);
+
outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
+ g_assert (outlen <= allocsize);
+
out[outlen] = '\0';
return (gchar *) out;
--
GitLab
Reference in New Issue View Git Blame Copy Permalink