File glib2-CVE-2026-0988.patch of Package glib2.42381

From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Thu, 18 Dec 2025 23:12:18 +0000
Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
 peek()

If the caller provides `offset` and `count` arguments which overflow,
their sum will overflow and could lead to `memcpy()` reading out more
memory than expected.

Spotted by Codean Labs.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #3851
---
 gio/gbufferedinputstream.c        |  2 +-
 gio/tests/buffered-input-stream.c | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
index 9e6bacc62..56d656be0 100644
--- a/gio/gbufferedinputstream.c
+++ b/gio/gbufferedinputstream.c
@@ -591,7 +591,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
 
   available = g_buffered_input_stream_get_available (stream);
 
-  if (offset > available)
+  if (offset > available || offset > G_MAXSIZE - count)
     return 0;
 
   end = MIN (offset + count, available);
diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
index a1af4eeff..2b2a0d9aa 100644
--- a/gio/tests/buffered-input-stream.c
+++ b/gio/tests/buffered-input-stream.c
@@ -60,6 +60,16 @@ test_peek (void)
   g_assert_cmpint (npeek, ==, 0);
   g_free (buffer);
 
+  buffer = g_new0 (char, 64);
+  npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
+  g_assert_cmpint (npeek, ==, 0);
+  g_free (buffer);
+
+  buffer = g_new0 (char, 64);
+  npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
+  g_assert_cmpint (npeek, ==, 0);
+  g_free (buffer);
+
   g_object_unref (in);
   g_object_unref (base);
 }
-- 
2.52.0