[glib: 4/5] Add some overflow protection to g_string_chunk_insert_len()

[Philip Withnall <pwithnall src gnome org>]

commit 72ca69e1dbf765de1b19fa0769cca614057a8d5f
Author: Sebastian Dröge <sebastian centricular com>
Date:   Thu Nov 25 14:25:24 2021 +0200

    Add some overflow protection to g_string_chunk_insert_len()
    
    If the new string's length plus the existing storage's length is
    overflowing a gsize, we would previously memcpy() the string over the
    bounds of the previous allocation.
    
    Similarly if the string's size was bigger than G_MAXSIZE / 2 we would've
    previously allocated 0 bytes.
    
    Now instead create a new allocation that fits the string.

 glib/gstringchunk.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
---
diff --git a/glib/gstringchunk.c b/glib/gstringchunk.c
index 226bfa98f..feacb154f 100644
--- a/glib/gstringchunk.c
+++ b/glib/gstringchunk.c
@@ -270,10 +270,15 @@ g_string_chunk_insert_len (GStringChunk *chunk,
   else
     size = (gsize) len;
 
-  if ((chunk->storage_next + size + 1) > chunk->this_size)
+  if ((G_MAXSIZE - chunk->storage_next < size + 1) || (chunk->storage_next + size + 1) > chunk->this_size)
     {
       gsize new_size = g_nearest_pow (MAX (chunk->default_size, size + 1));
 
+      /* If size is bigger than G_MAXSIZE / 2 then store it in its own
+       * allocation instead of failing here */
+      if (new_size == 0)
+        new_size = size + 1;
+
       chunk->storage_list = g_slist_prepend (chunk->storage_list,
                                              g_new (gchar, new_size));