Overview

File glib2-CVE-2026-1484.patch of Package glib2

From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001
From: Marco Trevisan <mail@3v1n0.net>
Date: Fri, 23 Jan 2026 18:48:30 +0100
Subject: [PATCH 1/2] gbase64: Use gsize to prevent potential overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both g_base64_encode_step() and g_base64_encode_close() return gsize
values, but these are summed to an int value.

If the sum of these returned values is bigger than MAXINT, we overflow
while doing the null byte write.

Spotted by treeplus.
Thanks to the Sovereign Tech Resilience programme from the Sovereign
Tech Agency.

ID: #YWH-PGM9867-168
Closes: #3870


(cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2)

Co-authored-by: Marco Trevisan (TreviƱo) <mail@3v1n0.net>
---
 glib/gbase64.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/glib/gbase64.c b/glib/gbase64.c
index 2ea4a4ef44..214b489117 100644
--- a/glib/gbase64.c
+++ b/glib/gbase64.c
@@ -240,8 +240,9 @@ g_base64_encode (const guchar *data,
                  gsize         len)
 {
   gchar *out;
-  gint state = 0, outlen;
+  gint state = 0;
   gint save = 0;
+  gsize outlen;
 
   g_return_val_if_fail (data != NULL || len == 0, NULL);
 
-- 
GitLab


From 25429bd0b22222d6986d000d62b44eebf490837d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Wed, 21 Jan 2026 20:09:44 +0100
Subject: [PATCH 2/2] gbase64: Ensure that the out value is within allocated
 size

We do not want to deference or write to it

Related to: #3870
---
 glib/gbase64.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/glib/gbase64.c b/glib/gbase64.c
index 214b489117..0141b3b072 100644
--- a/glib/gbase64.c
+++ b/glib/gbase64.c
@@ -243,6 +243,7 @@ g_base64_encode (const guchar *data,
   gint state = 0;
   gint save = 0;
   gsize outlen;
+  gsize allocsize;
 
   g_return_val_if_fail (data != NULL || len == 0, NULL);
 
@@ -250,10 +251,15 @@ g_base64_encode (const guchar *data,
      +1 is needed for trailing \0, also check for unlikely integer overflow */
   g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL);
 
-  out = g_malloc ((len / 3 + 1) * 4 + 1);
+  allocsize = (len / 3 + 1) * 4 + 1;
+  out = g_malloc (allocsize);
 
   outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
+  g_assert (outlen <= allocsize);
+
   outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
+  g_assert (outlen <= allocsize);
+
   out[outlen] = '\0';
 
   return (gchar *) out;
-- 
GitLab
openSUSE Build Service is sponsored by
Places