1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue, 9 Sep 2025 20:54:29 +0200
Subject: gstrfuncs: Check string length in g_strescape
If the input string is too large on a 32 bit system, it is possible
to trigger an integer overflow which subsequently leads to an out of
boundary write.
Origin: upstream, 2.86.1, commit:b274f829638282a71757620ad226869d9cc4f7df
---
glib/gstrfuncs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/glib/gstrfuncs.c b/glib/gstrfuncs.c
index 7ef9ff8..0141ece 100644
--- a/glib/gstrfuncs.c
+++ b/glib/gstrfuncs.c
@@ -2214,6 +2214,7 @@ gchar *
g_strescape (const gchar *source,
const gchar *exceptions)
{
+ size_t len;
const guchar *p;
gchar *dest;
gchar *q;
@@ -2223,7 +2224,13 @@ g_strescape (const gchar *source,
p = (guchar *) source;
/* Each source byte needs maximally four destination chars (\777) */
- q = dest = g_malloc (strlen (source) * 4 + 1);
+ if (!g_size_checked_mul (&len, strlen (source), 4) ||
+ !g_size_checked_add (&len, len, 1))
+ {
+ g_error ("%s: overflow allocating %" G_GSIZE_FORMAT "*4+1 bytes",
+ G_STRLOC, strlen (source));
+ }
+ q = dest = g_malloc (len);
memset (excmap, 0, 256);
if (exceptions)
|
