GArray expanding can cause DoS
I have found an issue with GArray expanding when array length (len
in bytes) is more than 2^31. I've reproduced it on glib 2.60.0.
I have found the related issue #1331 (closed). However, the proposed fix does not seem to fix the following scenario:
- You have around 2^31 of elements in array. Nearest power of 2 is also 2^31 as otherwise
n
would be equal to0
(asG_MAXUINT
is actually 2^32 - 1) - Trying to add another element of size
elt_size
would causewant_alloc
variable to be2^31
+elt_size
. Hence, we copy the whole2^31
bytes to add each new element to an array. It causes catastrophic degradation of the performance and it is not handled by any code path.
I'm not quite sure what to suggest in this case. In my application I have just added some workaround to prevent arrays of size more than 2^30 to avoid this bug. Probably, if cur_size * 2
is less than want_alloc
Glib should select a more wise increase step then just elt_size
...