diff options
author | Christian Hergert <chergert@redhat.com> | 2018-07-23 21:05:11 -0700 |
---|---|---|
committer | Christian Hergert <chergert@redhat.com> | 2018-07-23 21:05:11 -0700 |
commit | 0c7dc758443696c3d7daa42a7a0b073779fcdf53 (patch) | |
tree | 77ea2cbeaf92593ede12f8b3bd109715b5b63922 | |
parent | 4e1488eebb2129c6e39162b56275d311f24216ab (diff) | |
download | glib-wip/chergert/garray-bail.tar.gz |
garray: add overflow checks before expanding arraywip/chergert/garray-bail
We should bail when we detect that adding a number of items to an array
would cause it to overflow. Since we can't change to using gsize for ABI
reasons we should protect the integrity of the process even if that means
crashing.
-rw-r--r-- | glib/garray.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/glib/garray.c b/glib/garray.c index 5b71c887a..a6cbd57bb 100644 --- a/glib/garray.c +++ b/glib/garray.c @@ -803,8 +803,14 @@ static void g_array_maybe_expand (GRealArray *array, guint len) { - guint want_alloc = g_array_elt_len (array, array->len + len + - array->zero_terminated); + guint want_alloc; + + /* Detect potential overflow */ + if G_UNLIKELY ((G_MAXUINT - array->len) < len) + g_error ("adding %u to array would overflow", len); + + want_alloc = g_array_elt_len (array, array->len + len + + array->zero_terminated); if (want_alloc > array->alloc) { @@ -1162,6 +1168,10 @@ static void g_ptr_array_maybe_expand (GRealPtrArray *array, gint len) { + /* Detect potential overflow */ + if G_UNLIKELY ((G_MAXUINT - array->len) < len) + g_error ("adding %u to array would overflow", len); + if ((array->len + len) > array->alloc) { guint old_alloc = array->alloc; |