File glib2-CVE-2025-14512.patch of Package glib2.41973
From 4f0399c0aaf3ffc86b5625424580294bc7460404 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 4 Dec 2025 16:37:19 +0000
Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
byte strings
The number of invalid characters in the byte string (characters which
would have to be percent-encoded) was only stored in an `int`, which
gave the possibility of a long string largely full of invalid
characters overflowing this and allowing an attacker-controlled buffer
size to be allocated.
This could be triggered by an attacker controlled file attribute (of
type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
being read by user code.
Spotted by Codean Labs.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3845
---
gio/gfileattribute.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
index c6fde60fa..d3083e5bd 100644
--- a/gio/gfileattribute.c
+++ b/gio/gfileattribute.c
@@ -22,6 +22,7 @@
#include "config.h"
+#include <stdint.h>
#include <string.h>
#include "gfileattribute.h"
@@ -166,11 +167,12 @@ valid_char (char c)
return c >= 32 && c <= 126 && c != '\\';
}
+/* Returns NULL on error */
static char *
escape_byte_string (const char *str)
{
size_t i, len;
- int num_invalid;
+ size_t num_invalid;
char *escaped_val, *p;
unsigned char c;
const char hex_digits[] = "0123456789abcdef";
@@ -188,7 +190,12 @@ escape_byte_string (const char *str)
return g_strdup (str);
else
{
- escaped_val = g_malloc (len + num_invalid*3 + 1);
+ /* Check for overflow. We want to check the inequality:
+ * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+ if (num_invalid >= (SIZE_MAX - len) / 3)
+ return NULL;
+
+ escaped_val = g_malloc (len + num_invalid * 3 + 1);
p = escaped_val;
for (i = 0; i < len; i++)
--
2.52.0
