From 3caf00b0a137dabd47571b57384aeda96c9ecee7 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Dec 2025 16:37:19 +0000 Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for byte strings The number of invalid characters in the byte string (characters which would have to be percent-encoded) was only stored in an `int`, which gave the possibility of a long string largely full of invalid characters overflowing this and allowing an attacker-controlled buffer size to be allocated. This could be triggered by an attacker controlled file attribute (of type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as `G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`, being read by user code. Spotted by Codean Labs. Signed-off-by: Philip Withnall Fixes: #3845 --- gio/gfileattribute.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c index 9b16a765f..164d27f9a 100644 --- a/gio/gfileattribute.c +++ b/gio/gfileattribute.c @@ -20,6 +20,7 @@ #include "config.h" +#include #include #include "gfileattribute.h" @@ -271,11 +272,12 @@ valid_char (char c) return c >= 32 && c <= 126 && c != '\\'; } +/* Returns NULL on error */ static char * escape_byte_string (const char *str) { - size_t len; - int num_invalid, i; + size_t i, len; + size_t num_invalid; char *escaped_val, *p; unsigned char c; const char hex_digits[] = "0123456789abcdef"; @@ -293,7 +295,12 @@ escape_byte_string (const char *str) return g_strdup (str); else { - escaped_val = g_malloc (len + num_invalid*3 + 1); + /* Check for overflow. We want to check the inequality: + * !(len + num_invalid * 3 + 1 > SIZE_MAX) */ + if (num_invalid >= (SIZE_MAX - len) / 3) + return NULL; + + escaped_val = g_malloc (len + num_invalid * 3 + 1); p = escaped_val; for (i = 0; i < len; i++) -- 2.53.0