From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 18 Dec 2025 23:12:18 +0000 Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in peek() If the caller provides `offset` and `count` arguments which overflow, their sum will overflow and could lead to `memcpy()` reading out more memory than expected. Spotted by Codean Labs. Signed-off-by: Philip Withnall Fixes: #3851 CVE: CVE-2026-0988 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f] Signed-off-by: Peter Marko --- gio/gbufferedinputstream.c | 2 +- gio/tests/buffered-input-stream.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c index 9e6bacc62..56d656be0 100644 --- a/gio/gbufferedinputstream.c +++ b/gio/gbufferedinputstream.c @@ -590,7 +590,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream, available = g_buffered_input_stream_get_available (stream); - if (offset > available) + if (offset > available || offset > G_MAXSIZE - count) return 0; end = MIN (offset + count, available); diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c index a1af4eeff..2b2a0d9aa 100644 --- a/gio/tests/buffered-input-stream.c +++ b/gio/tests/buffered-input-stream.c @@ -60,6 +60,16 @@ test_peek (void) g_assert_cmpint (npeek, ==, 0); g_free (buffer); + buffer = g_new0 (char, 64); + npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0); + g_assert_cmpint (npeek, ==, 0); + g_free (buffer); + + buffer = g_new0 (char, 64); + npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE); + g_assert_cmpint (npeek, ==, 0); + g_free (buffer); + g_object_unref (in); g_object_unref (base); }