From 5ba0ed9ab2c28294713bdc56a8744ff0a446b59c Mon Sep 17 00:00:00 2001 From: Marco Trevisan Date: Fri, 23 Jan 2026 18:48:30 +0100 Subject: [PATCH 1/2] gbase64: Use gsize to prevent potential overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both g_base64_encode_step() and g_base64_encode_close() return gsize values, but these are summed to an int value. If the sum of these returned values is bigger than MAXINT, we overflow while doing the null byte write. Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme from the Sovereign Tech Agency. ID: #YWH-PGM9867-168 Closes: #3870 (cherry picked from commit 6845f7776982849a2be1d8c9b0495e389092bff2) Co-authored-by: Marco Trevisan (TreviƱo) --- glib/gbase64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/glib/gbase64.c b/glib/gbase64.c index 2ea4a4ef44..214b489117 100644 --- a/glib/gbase64.c +++ b/glib/gbase64.c @@ -240,8 +240,9 @@ g_base64_encode (const guchar *data, gsize len) { gchar *out; - gint state = 0, outlen; + gint state = 0; gint save = 0; + gsize outlen; g_return_val_if_fail (data != NULL || len == 0, NULL); -- GitLab From 25429bd0b22222d6986d000d62b44eebf490837d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= Date: Wed, 21 Jan 2026 20:09:44 +0100 Subject: [PATCH 2/2] gbase64: Ensure that the out value is within allocated size We do not want to deference or write to it Related to: #3870 --- glib/gbase64.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/glib/gbase64.c b/glib/gbase64.c index 214b489117..0141b3b072 100644 --- a/glib/gbase64.c +++ b/glib/gbase64.c @@ -243,6 +243,7 @@ g_base64_encode (const guchar *data, gint state = 0; gint save = 0; gsize outlen; + gsize allocsize; g_return_val_if_fail (data != NULL || len == 0, NULL); @@ -250,10 +251,15 @@ g_base64_encode (const guchar *data, +1 is needed for trailing \0, also check for unlikely integer overflow */ g_return_val_if_fail (len < ((G_MAXSIZE - 1) / 4 - 1) * 3, NULL); - out = g_malloc ((len / 3 + 1) * 4 + 1); + allocsize = (len / 3 + 1) * 4 + 1; + out = g_malloc (allocsize); outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); + g_assert (outlen <= allocsize); + outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); + g_assert (outlen <= allocsize); + out[outlen] = '\0'; return (gchar *) out; -- GitLab