File glib2-CVE-2025-4373.patch of Package glib2.39160
diff --git a/glib/gstring.c b/glib/gstring.c
index 9ba7b0a..a2706cd 100644
--- a/glib/gstring.c
+++ b/glib/gstring.c
@@ -426,6 +426,8 @@ g_string_insert_len (GString *string,
const gchar *val,
gssize len)
{
+ gsize len_unsigned, pos_unsigned;
+
g_return_val_if_fail (string != NULL, NULL);
g_return_val_if_fail (len == 0 || val != NULL, string);
@@ -433,12 +435,17 @@ g_string_insert_len (GString *string,
return string;
if (len < 0)
- len = strlen (val);
+ len_unsigned = strlen (val);
+ else
+ len_unsigned = len;
if (pos < 0)
- pos = string->len;
+ pos_unsigned = string->len;
else
- g_return_val_if_fail (pos <= string->len, string);
+ {
+ pos_unsigned = pos;
+ g_return_val_if_fail (pos_unsigned <= string->len, string);
+ }
/* Check whether val represents a substring of string.
* This test probably violates chapter and verse of the C standards,
@@ -450,45 +457,48 @@ g_string_insert_len (GString *string,
gsize offset = val - string->str;
gsize precount = 0;
- g_string_maybe_expand (string, len);
+ g_string_maybe_expand (string, len_unsigned);
val = string->str + offset;
/* At this point, val is valid again. */
/* Open up space where we are going to insert. */
- if (pos < string->len)
- memmove (string->str + pos + len, string->str + pos, string->len - pos);
+ if (pos_unsigned < string->len)
+ memmove (string->str + pos_unsigned + len_unsigned,
+ string->str + pos_unsigned, string->len - pos_unsigned);
/* Move the source part before the gap, if any. */
- if (offset < pos)
+ if (offset < pos_unsigned)
{
- precount = MIN (len, pos - offset);
- memcpy (string->str + pos, val, precount);
+ precount = MIN (len_unsigned, pos_unsigned - offset);
+ memcpy (string->str + pos_unsigned, val, precount);
}
/* Move the source part after the gap, if any. */
- if (len > precount)
- memcpy (string->str + pos + precount,
- val + /* Already moved: */ precount + /* Space opened up: */ len,
- len - precount);
+ if (len_unsigned > precount)
+ memcpy (string->str + pos_unsigned + precount,
+ val + /* Already moved: */ precount +
+ /* Space opened up: */ len_unsigned,
+ len_unsigned - precount);
}
else
{
- g_string_maybe_expand (string, len);
+ g_string_maybe_expand (string, len_unsigned);
/* If we aren't appending at the end, move a hunk
* of the old string to the end, opening up space
*/
- if (pos < string->len)
- memmove (string->str + pos + len, string->str + pos, string->len - pos);
+ if (pos_unsigned < string->len)
+ memmove (string->str + pos_unsigned + len_unsigned,
+ string->str + pos_unsigned, string->len - pos_unsigned);
/* insert the new string */
- if (len == 1)
- string->str[pos] = *val;
+ if (len_unsigned == 1)
+ string->str[pos_unsigned] = *val;
else
- memcpy (string->str + pos, val, len);
+ memcpy (string->str + pos_unsigned, val, len_unsigned);
}
- string->len += len;
+ string->len += len_unsigned;
string->str[string->len] = 0;
@@ -772,20 +782,26 @@ g_string_insert_c (GString *string,
gssize pos,
gchar c)
{
+ gsize pos_unsigned;
+
g_return_val_if_fail (string != NULL, NULL);
g_string_maybe_expand (string, 1);
if (pos < 0)
- pos = string->len;
+ pos_unsigned = string->len;
else
- g_return_val_if_fail (pos <= string->len, string);
+ {
+ pos_unsigned = pos;
+ g_return_val_if_fail (pos_unsigned <= string->len, string);
+ }
/* If not just an append, move the old stuff */
- if (pos < string->len)
- memmove (string->str + pos + 1, string->str + pos, string->len - pos);
+ if (pos_unsigned < string->len)
+ memmove (string->str + pos_unsigned + 1,
+ string->str + pos_unsigned, string->len - pos_unsigned);
- string->str[pos] = c;
+ string->str[pos_unsigned] = c;
string->len += 1;
@@ -811,6 +827,7 @@ g_string_insert_unichar (GString *string,
gssize pos,
gunichar wc)
{
+ gsize pos_unsigned;
gint charlen, first, i;
gchar *dest;
@@ -852,15 +869,18 @@ g_string_insert_unichar (GString *string,
g_string_maybe_expand (string, charlen);
if (pos < 0)
- pos = string->len;
+ pos_unsigned = string->len;
else
- g_return_val_if_fail (pos <= string->len, string);
+ {
+ pos_unsigned = pos;
+ g_return_val_if_fail (pos_unsigned <= string->len, string);
+ }
/* If not just an append, move the old stuff */
- if (pos < string->len)
- memmove (string->str + pos + charlen, string->str + pos, string->len - pos);
+ if (pos_unsigned < string->len)
+ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned);
- dest = string->str + pos;
+ dest = string->str + pos_unsigned;
/* Code copied from g_unichar_to_utf() */
for (i = charlen - 1; i > 0; --i)
{
@@ -918,6 +938,7 @@ g_string_overwrite_len (GString *string,
const gchar *val,
gssize len)
{
+ gsize len_unsigned;
gsize end;
g_return_val_if_fail (string != NULL, NULL);
@@ -929,14 +950,16 @@ g_string_overwrite_len (GString *string,
g_return_val_if_fail (pos <= string->len, string);
if (len < 0)
- len = strlen (val);
+ len_unsigned = strlen (val);
+ else
+ len_unsigned = len;
- end = pos + len;
+ end = pos + len_unsigned;
if (end > string->len)
g_string_maybe_expand (string, end - string->len);
- memcpy (string->str + pos, val, len);
+ memcpy (string->str + pos, val, len_unsigned);
if (end > string->len)
{
@@ -964,21 +987,28 @@ g_string_erase (GString *string,
gssize pos,
gssize len)
{
+ gsize len_unsigned, pos_unsigned;
+
g_return_val_if_fail (string != NULL, NULL);
g_return_val_if_fail (pos >= 0, string);
- g_return_val_if_fail (pos <= string->len, string);
+ pos_unsigned = pos;
+
+ g_return_val_if_fail (pos_unsigned <= string->len, string);
if (len < 0)
- len = string->len - pos;
+ len_unsigned = string->len - pos_unsigned;
else
{
- g_return_val_if_fail (pos + len <= string->len, string);
+ len_unsigned = len;
+ g_return_val_if_fail (pos_unsigned + len_unsigned <= string->len, string);
- if (pos + len < string->len)
- memmove (string->str + pos, string->str + pos + len, string->len - (pos + len));
+ if (pos_unsigned + len_unsigned < string->len)
+ memmove (string->str + pos_unsigned,
+ string->str + pos_unsigned + len_unsigned,
+ string->len - (pos_unsigned + len_unsigned));
}
- string->len -= len;
+ string->len -= len_unsigned;
string->str[string->len] = 0;
