Add some overflow protection to g_string_chunk_insert_len()

If the new string's length plus the existing storage's length is
overflowing a gsize, we would previously memcpy() the string over the
bounds of the previous allocation.

Similarly if the string's size was bigger than G_MAXSIZE / 2 we would've
previously allocated 0 bytes.

Now instead create a new allocation that fits the string.

1 files changed, 6 insertions, 1 deletions

diff --git a/glib/gstringchunk.c b/glib/gstringchunk.c
index 226bfa98f..feacb154f 100644
--- a/glib/gstringchunk.c
+++ b/glib/gstringchunk.c
@@ -270,10 +270,15 @@ g_string_chunk_insert_len (GStringChunk *chunk,
   else
     size = (gsize) len;
 
-  if ((chunk->storage_next + size + 1) > chunk->this_size)
+  if ((G_MAXSIZE - chunk->storage_next < size + 1) || (chunk->storage_next + size + 1) > chunk->this_size)
     {
       gsize new_size = g_nearest_pow (MAX (chunk->default_size, size + 1));
 
+      /* If size is bigger than G_MAXSIZE / 2 then store it in its own
+       * allocation instead of failing here */
+      if (new_size == 0)
+        new_size = size + 1;
+
       chunk->storage_list = g_slist_prepend (chunk->storage_list,
                                              g_new (gchar, new_size));