From 63c5b62f0a984fac9a9700b12f54fe878e016a5d Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Wed, 2 Sep 2020 12:38:09 +0100
Subject: [PATCH] goption: Add a precondition to avoid GOptionEntry list
 overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the calling code adds more option entries than `G_MAXSIZE` then
there’ll be an integer overflow. This seems vanishingly unlikely (given
that all callers use static option entry lists), but add a precondition
anyway.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #2197
---
 glib/goption.c | 2 ++
 1 file changed, 2 insertions(+)

CVE: CVE-2020-35457
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/63c5b62f0a984fac9a9700b12f54fe878e016a5d]
Comment: adjusted offset by -5 to fix patch fuzz warning

diff --git a/glib/goption.c b/glib/goption.c
index 9f5b977c4..bb9093a33 100644
--- a/glib/goption.c
+++ b/glib/goption.c
@@ -2417,6 +2417,8 @@ g_option_group_add_entries (GOptionGroup       *group,
 
   for (n_entries = 0; entries[n_entries].long_name != NULL; n_entries++) ;
 
+  g_return_if_fail (n_entries <= G_MAXSIZE - group->n_entries);
+
   group->entries = g_renew (GOptionEntry, group->entries, group->n_entries + n_entries);
 
   /* group->entries could be NULL in the trivial case where we add no
-- 
2.20.1