Missing preconditions checks in GArray
It is possible to trigger integer overflows (and subsequent out of boundary accesses) when removing ranges with invalid values. The sum of _index and length must not overflow, otherwise the range check can incorrectly succeed.
A possible patch is here: glib.patch
You can trigger weird behavior with this proof of concept: poc.c
In this proof of concept, the array grows in size even though a range removal has been performed.
I'm not sure if this should be treated in private. But since it's easier to make something public than making it private afterwards, I start with a confidential issue.