garray: add overflow checks before expanding arraywip/chergert/garray-bail

We should bail when we detect that adding a number of items to an array
would cause it to overflow. Since we can't change to using gsize for ABI
reasons we should protect the integrity of the process even if that means
crashing.

1 files changed, 12 insertions, 2 deletions

diff --git a/glib/garray.c b/glib/garray.c
index 5b71c887a..a6cbd57bb 100644
--- a/glib/garray.c
+++ b/glib/garray.c
@@ -803,8 +803,14 @@ static void
 g_array_maybe_expand (GRealArray *array,
                       guint       len)
 {
-  guint want_alloc = g_array_elt_len (array, array->len + len + 
-                                      array->zero_terminated);
+  guint want_alloc;
+
+  /* Detect potential overflow */
+  if G_UNLIKELY ((G_MAXUINT - array->len) < len)
+    g_error ("adding %u to array would overflow", len);
+
+  want_alloc = g_array_elt_len (array, array->len + len +
+                                array->zero_terminated);
 
   if (want_alloc > array->alloc)
     {
@@ -1162,6 +1168,10 @@ static void
 g_ptr_array_maybe_expand (GRealPtrArray *array,
                           gint           len)
 {
+  /* Detect potential overflow */
+  if G_UNLIKELY ((G_MAXUINT - array->len) < len)
+    g_error ("adding %u to array would overflow", len);
+
   if ((array->len + len) > array->alloc)
     {
       guint old_alloc = array->alloc;