From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Tue, 18 Feb 2025 16:51:36 +0000 Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone offset handling This one is much harder to trigger than the one in the previous commit, but mixing `gssize` and `gsize` always runs the risk of the former overflowing for very (very very) long input strings. Avoid that possibility by not using the sign of the `tz_offset` to indicate its validity, and instead using the return value of the function. Signed-off-by: Philip Withnall CVE: CVE-2025-3360 Upstream-Status: Backport [https://github.com/GNOME/glib/commit/495c85278f9638fdf3ebf002c759e1bdccebaf2f] Signed-off-by: Peter Marko --- glib/gdatetime.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/glib/gdatetime.c b/glib/gdatetime.c index b33db2c20..792c2ed15 100644 --- a/glib/gdatetime.c +++ b/glib/gdatetime.c @@ -1342,8 +1342,10 @@ parse_iso8601_date (const gchar *text, gsize length, return FALSE; } +/* Value returned in tz_offset is valid if and only if the function return value + * is non-NULL. */ static GTimeZone * -parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset) +parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) { gint i, tz_length, offset_hours, offset_minutes; gint offset_sign = 1; @@ -1411,11 +1413,11 @@ static gboolean parse_iso8601_time (const gchar *text, gsize length, gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz) { - gssize tz_offset = -1; + size_t tz_offset = 0; /* Check for timezone suffix */ *tz = parse_iso8601_timezone (text, length, &tz_offset); - if (tz_offset >= 0) + if (*tz != NULL) length = tz_offset; /* hh:mm:ss(.sss) */