Skip to content

Backport !1942 “CVE-2021-27218: gbytearray: Do not accept too large byte arrays” to glib-2-66

GByteArray uses guint for storing the length of the byte array, but it also has a constructor (g_byte_array_new_take) that takes length as a gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits for guint). It is possible to call the function with a value greater than G_MAXUINT, which will result in silent length truncation. This may happen as a result of unreffing GBytes into GByteArray, so rather be loud about it.

(Test case tweaked by Philip Withnall.)

Trivial backport of !1942 (merged) to glib-2-66.

Edited by Simon McVittie

Merge request reports