Backport !1942 “CVE-2021-27218: gbytearray: Do not accept too large byte arrays” to glib-2-66 (!1944) · Merge requests · GNOME / GLib

Philip Withnall requested to merge pwithnall/glib:backport-1942-bytes-byte-array-bitten-glib-2-66 into glib-2-66 Feb 11, 2021

GByteArray uses guint for storing the length of the byte array, but it also has a constructor (g_byte_array_new_take) that takes length as a gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits for guint). It is possible to call the function with a value greater than G_MAXUINT, which will result in silent length truncation. This may happen as a result of unreffing GBytes into GByteArray, so rather be loud about it.

(Test case tweaked by Philip Withnall.)

Trivial backport of !1942 (merged) to glib-2-66.

Edited Feb 15, 2021 by Simon McVittie

Backport !1942 “CVE-2021-27218: gbytearray: Do not accept too large byte arrays” to glib-2-66

Merge request reports