[glib: 2/5] Add stricter overflow protection from GArray to g_ptr_array_maybe_expand() too

[Philip Withnall <pwithnall src gnome org>]

commit d01dc6d23a686778d8c0f1df695a3957f363f656
Author: Sebastian Dröge <sebastian centricular com>
Date:   Thu Nov 25 14:11:29 2021 +0200

    Add stricter overflow protection from GArray to g_ptr_array_maybe_expand() too
    
    It might otherwise happen that the return value from g_nearest_pow()
    does not fit into a guint, i.e. it might be G_MAXUINT + 1 if that fits
    into a gsize.

 glib/garray.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
---
diff --git a/glib/garray.c b/glib/garray.c
index e493e2ac1..3803fee03 100644
--- a/glib/garray.c
+++ b/glib/garray.c
@@ -1503,8 +1503,16 @@ static void
 g_ptr_array_maybe_expand (GRealPtrArray *array,
                           guint          len)
 {
+  guint max_len;
+
+  /* The maximum array length is derived from following constraints:
+   * - The number of bytes must fit into a gsize / 2.
+   * - The number of elements must fit into guint.
+   */
+  max_len = MIN (G_MAXSIZE / 2 / sizeof (gpointer), G_MAXUINT);
+
   /* Detect potential overflow */
-  if G_UNLIKELY ((G_MAXUINT - array->len) < len)
+  if G_UNLIKELY ((max_len - array->len) < len)
     g_error ("adding %u to array would overflow", len);
 
   if ((array->len + len) > array->alloc)