diff options
author | Sebastian Dröge <sebastian@centricular.com> | 2021-11-25 14:25:24 +0200 |
---|---|---|
committer | Sebastian Dröge <sebastian@centricular.com> | 2021-11-25 14:38:17 +0200 |
commit | 72ca69e1dbf765de1b19fa0769cca614057a8d5f (patch) | |
tree | 3bb7f995fd8c1dc79e5d1b8fcd6f62c2d5627db8 /glib/gstringchunk.c | |
parent | b5447e8e35e42e77539c21710fc26979cf096846 (diff) | |
download | glib-72ca69e1dbf765de1b19fa0769cca614057a8d5f.tar.gz |
Add some overflow protection to g_string_chunk_insert_len()
If the new string's length plus the existing storage's length is
overflowing a gsize, we would previously memcpy() the string over the
bounds of the previous allocation.
Similarly if the string's size was bigger than G_MAXSIZE / 2 we would've
previously allocated 0 bytes.
Now instead create a new allocation that fits the string.
Diffstat (limited to 'glib/gstringchunk.c')
-rw-r--r-- | glib/gstringchunk.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/glib/gstringchunk.c b/glib/gstringchunk.c index 226bfa98f..feacb154f 100644 --- a/glib/gstringchunk.c +++ b/glib/gstringchunk.c @@ -270,10 +270,15 @@ g_string_chunk_insert_len (GStringChunk *chunk, else size = (gsize) len; - if ((chunk->storage_next + size + 1) > chunk->this_size) + if ((G_MAXSIZE - chunk->storage_next < size + 1) || (chunk->storage_next + size + 1) > chunk->this_size) { gsize new_size = g_nearest_pow (MAX (chunk->default_size, size + 1)); + /* If size is bigger than G_MAXSIZE / 2 then store it in its own + * allocation instead of failing here */ + if (new_size == 0) + new_size = size + 1; + chunk->storage_list = g_slist_prepend (chunk->storage_list, g_new (gchar, new_size)); |