Overview

File glib2-CVE-2025-14087-1.patch of Package glib2

From 3e72fe0fbb32c18a66486c4da8bc851f656af287 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Tue, 25 Nov 2025 19:02:56 +0000
Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
 (byte)strings

The termination condition for parsing string and bytestring literals in
GVariant text format input was subject to an integer overflow for input
string (or bytestring) literals longer than `INT_MAX`.

Fix that by counting as a `size_t` rather than as an `int`. The counter
can never correctly be negative.

Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
from the Sovereign Tech Agency. ID: #YWH-PGM9867-145

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3834
---
 glib/gvariant-parser.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff -urp glib-2.78.6.orig/glib/gvariant-parser.c glib-2.78.6/glib/gvariant-parser.c
--- glib-2.78.6.orig/glib/gvariant-parser.c	2024-05-08 12:53:54.000000000 -0500
+++ glib-2.78.6/glib/gvariant-parser.c	2025-12-11 15:05:07.444571372 -0600
@@ -597,7 +597,7 @@ ast_resolve (AST     *ast,
 {
   GVariant *value;
   gchar *pattern;
-  gint i, j = 0;
+  size_t i, j = 0;
 
   pattern = ast_get_pattern (ast, error);
 
@@ -1621,9 +1621,9 @@ string_free (AST *ast)
  * No leading/trailing space allowed. */
 static gboolean
 unicode_unescape (const gchar  *src,
-                  gint         *src_ofs,
+                  size_t       *src_ofs,
                   gchar        *dest,
-                  gint         *dest_ofs,
+                  size_t       *dest_ofs,
                   gsize         length,
                   SourceRef    *ref,
                   GError      **error)
@@ -1684,7 +1684,7 @@ string_parse (TokenStream  *stream,
   gsize length;
   gchar quote;
   gchar *str;
-  gint i, j;
+  size_t i, j;
 
   token_stream_start_ref (stream, &ref);
   token = token_stream_get (stream);
@@ -1814,7 +1814,7 @@ bytestring_parse (TokenStream  *stream,
   gsize length;
   gchar quote;
   gchar *str;
-  gint i, j;
+  size_t i, j;
 
   token_stream_start_ref (stream, &ref);
   token = token_stream_get (stream);
openSUSE Build Service is sponsored by
Places