gstrfuncs.c: integer overflows and buffer overruns
Submitted by Christian Biere
Link to original bug (#547950)
Description
The code in glib/gstrfuncs.c is not very robust. It causes undefined behavior for extreme but perfectly valid parameters.
-
Trying to store the result of strlen() in a variable of type "int" can cause an integer overflow on any 64-bit platform. See g_str_has_prefix() and g_str_has_suffix().
-
Especially on a 32-bit platform adding or multiplying size_t values can easily cause a wrap around and result in allocating too little memory, resulting in a buffer overrun afterwards. Instead size_t values should instead saturate at SIZE_MAX. Assuming SIZE_MAX memory cannot be allocated, the application will properly terminate.