diff options
author | Philip Withnall <pwithnall@endlessos.org> | 2021-02-04 16:12:24 +0000 |
---|---|---|
committer | Philip Withnall <pwithnall@endlessos.org> | 2021-02-04 16:17:21 +0000 |
commit | 81a454237dc210c0d476c5f635426d3cebb3abfc (patch) | |
tree | 744754947e65b1a5094af9b50fb31c5edb5a2511 | |
parent | 19470722b370f65596d2b0628e2a39fe494fb560 (diff) | |
download | glib-81a454237dc210c0d476c5f635426d3cebb3abfc.tar.gz |
gwinhttpfile: Avoid arithmetic overflow when calculating a size
The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e.
32-bit unsigned integers. Adding to and multiplying them may cause them
to overflow the unsigned integer bounds, even if the result is passed to
`g_memdup2()` which accepts a `gsize`.
Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
arithmetic is done in terms of `gsize`s rather than unsigned integers.
Spotted by Sebastian Dröge.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
-rw-r--r-- | gio/win32/gwinhttpfile.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c index be26dd3b5..5b8dcfe0b 100644 --- a/gio/win32/gwinhttpfile.c +++ b/gio/win32/gwinhttpfile.c @@ -409,10 +409,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); child->vfs = winhttp_file->vfs; child->url = winhttp_file->url; - child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); - child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); - child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); - child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); + child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); + child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); + child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); child->url.lpszUrlPath = wnew_path; child->url.dwUrlPathLength = wcslen (wnew_path); child->url.lpszExtraInfo = NULL; |