File glib2-CVE-2021-27218.patch of Package glib2.42479
diff --unified --recursive --text --new-file --color glib-2.62.6.old/glib/garray.c glib-2.62.6.new/glib/garray.c
--- glib-2.62.6.old/glib/garray.c 2021-03-03 08:49:45.499827919 +0800
+++ glib-2.62.6.new/glib/garray.c 2021-03-04 08:42:07.925581972 +0800
@@ -2013,6 +2013,10 @@
* Create byte array containing the data. The data will be owned by the array
* and will be freed with g_free(), i.e. it could be allocated using g_strdup().
*
+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
+ * stores the length of its data in #guint, which may be shorter than
+ * #gsize.
+ *
* Since: 2.32
*
* Returns: (transfer full): a new #GByteArray
@@ -2024,6 +2028,8 @@
GByteArray *array;
GRealArray *real;
+ g_return_val_if_fail (len <= G_MAXUINT, NULL);
+
array = g_byte_array_new ();
real = (GRealArray *)array;
g_assert (real->data == NULL);
diff --unified --recursive --text --new-file --color glib-2.62.6.old/glib/gbytes.c glib-2.62.6.new/glib/gbytes.c
--- glib-2.62.6.old/glib/gbytes.c 2021-03-03 08:49:45.499827919 +0800
+++ glib-2.62.6.new/glib/gbytes.c 2021-03-04 08:42:07.925581972 +0800
@@ -519,6 +519,10 @@
* g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
* other cases the data is copied.
*
+ * Do not use it if @bytes contains more than %G_MAXUINT
+ * bytes. #GByteArray stores the length of its data in #guint, which
+ * may be shorter than #gsize, that @bytes is using.
+ *
* Returns: (transfer full): a new mutable #GByteArray containing the same byte data
*
* Since: 2.32
diff --unified --recursive --text --new-file --color glib-2.62.6.old/glib/tests/bytes.c glib-2.62.6.new/glib/tests/bytes.c
--- glib-2.62.6.old/glib/tests/bytes.c 2021-03-03 08:49:45.509827918 +0800
+++ glib-2.62.6.new/glib/tests/bytes.c 2021-03-04 08:43:10.720087998 +0800
@@ -10,12 +10,12 @@
*/
#undef G_DISABLE_ASSERT
-#undef G_LOG_DOMAIN
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "glib.h"
+#include "glib/gstrfuncsprivate.h"
/* Keep in sync with glib/gbytes.c */
struct _GBytes
@@ -334,6 +334,38 @@
}
static void
+test_to_array_transferred_oversize (void)
+{
+ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to "
+ "G_MAXUINT in length; test that longer ones are rejected");
+
+ if (sizeof (guint) >= sizeof (gsize))
+ {
+ g_test_skip ("Skipping test as guint is not smaller than gsize");
+ }
+ else if (g_test_undefined ())
+ {
+ GByteArray *array = NULL;
+ GBytes *bytes = NULL;
+ gpointer data = g_memdup2 (NYAN, N_NYAN);
+ gsize len = ((gsize) G_MAXUINT) + 1;
+
+ bytes = g_bytes_new_take (data, len);
+ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL,
+ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed");
+ array = g_bytes_unref_to_array (g_steal_pointer (&bytes));
+ g_test_assert_expected_messages ();
+ g_assert_null (array);
+
+ g_free (data);
+ }
+ else
+ {
+ g_test_skip ("Skipping test as testing undefined behaviour is disabled");
+ }
+}
+
+static void
test_to_array_two_refs (void)
{
gconstpointer memory;
@@ -408,6 +440,7 @@
g_test_add_func ("/bytes/to-data/two-refs", test_to_data_two_refs);
g_test_add_func ("/bytes/to-data/non-malloc", test_to_data_non_malloc);
g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred);
+ g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize);
g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs);
g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc);
g_test_add_func ("/bytes/null", test_null);
