(CVE-2025-6052) gstring: Fix overflow check when expanding the string (!4655) · Merge requests · GNOME / GLib

After commit 34b7992f the overflow check was only done when expanding the string, but we need to do it before checking whether to expand the string, otherwise that calculation could overflow and falsely decide that the string is big enough already.

As a concrete example, consider a GString which has:

.len = G_MAXSIZE / 2 + 1
.allocated_len = G_MAXSIZE / 2 + 1 and g_string_append() is called on it with an input string of length G_MAXSIZE / 2.

This results in a call g_string_maybe_expand (string, G_MAXSIZE / 2), which calculates string->len + len as (G_MAXSIZE / 2 + 1) + (G_MAXSIZE / 2) which evaluates to 1 as it overflows. This is not greater than string->allocated_len (which is G_MAXSIZE / 2 + 1), so g_string_expand() is not called, and g_string_maybe_expand() returns successfully. The caller then assumes that there’s enough space in the buffer, and happily continues to cause a buffer overflow.

It’s unlikely anyone could hit this in practice because it requires ludicrously big strings and GString allocations, which likely would have been blocked by other code, but if we’re going to have the overflow checks in GString then they should be effective.

Spotted by code inspection.

Signed-off-by: Philip Withnall pwithnall@gnome.org

(CVE-2025-6052) gstring: Fix overflow check when expanding the string

Merge request reports