Skip to content

Commit 775383f

Browse files
azurelinux-securityjykanase
azurelinux-security
and
jykanase
authored
[AutoPR- Security] Patch glib for CVE-2026-1489, CVE-2026-0988 [MEDIUM] (#15731)
Co-authored-by: jykanase <v-jykanase@microsoft.com>
1 parent 94161a5 commit 775383f

File tree

7 files changed

+502
-13
lines changed

7 files changed

+502
-13
lines changed

SPECS/glib/CVE-2026-0988.patch

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
From 56ec31fed99ea19c123e5266a27f4ea03d25ae15 Mon Sep 17 00:00:00 2001
2+
From: Philip Withnall <pwithnall@gnome.org>
3+
Date: Thu, 18 Dec 2025 23:12:18 +0000
4+
Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in
5+
peek()
6+
7+
If the caller provides `offset` and `count` arguments which overflow,
8+
their sum will overflow and could lead to `memcpy()` reading out more
9+
memory than expected.
10+
11+
Spotted by Codean Labs.
12+
13+
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
14+
15+
Fixes: #3851
16+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
17+
Upstream-reference: https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f.patch
18+
---
19+
gio/gbufferedinputstream.c | 2 +-
20+
gio/tests/buffered-input-stream.c | 10 ++++++++++
21+
2 files changed, 11 insertions(+), 1 deletion(-)
22+
23+
diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c
24+
index d9f150d..04c4d9f 100644
25+
--- a/gio/gbufferedinputstream.c
26+
+++ b/gio/gbufferedinputstream.c
27+
@@ -588,7 +588,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream,
28+
29+
available = g_buffered_input_stream_get_available (stream);
30+
31+
- if (offset > available)
32+
+ if (offset > available || offset > G_MAXSIZE - count)
33+
return 0;
34+
35+
end = MIN (offset + count, available);
36+
diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c
37+
index ee084b3..39b4daf 100644
38+
--- a/gio/tests/buffered-input-stream.c
39+
+++ b/gio/tests/buffered-input-stream.c
40+
@@ -58,6 +58,16 @@ test_peek (void)
41+
g_assert_cmpint (npeek, ==, 0);
42+
g_free (buffer);
43+
44+
+ buffer = g_new0 (char, 64);
45+
+ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0);
46+
+ g_assert_cmpint (npeek, ==, 0);
47+
+ g_free (buffer);
48+
+
49+
+ buffer = g_new0 (char, 64);
50+
+ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE);
51+
+ g_assert_cmpint (npeek, ==, 0);
52+
+ g_free (buffer);
53+
+
54+
g_object_unref (in);
55+
g_object_unref (base);
56+
}
57+
--
58+
2.45.4
59+

0 commit comments

Comments
 (0)