buffer overflows in garray.c
Integer overflows in size calculations of buffers (GArray and GPtrArray) allow subsequent buffer overflows. This happens due to conversions between gsize and guint.
Proof of Concepts for GArray (array.c) and GPtrArray (ptr.c) are attached. While array.c only requires 4 GB of RAM, ptr.c will need a bit more than 48 GB.
I have also a proposed patch (glib.patch).
An alternative to my patch which uses MIN(..., G_MAXUINT) would be to limit the amount of items to 2 billions, i.e. extending the MAX check before actual calculations. I am not sure how you want to handle these "arbitrary" limits, so I took the version which allows the full G_MAXUINT amount of items.
Let me know what you think about the severity. Since 4 GB char arrays do not sound unrealistic to achieve, I would recommend to at least handle the GArray issue with medium severity.