From nobody Tue Sep 9 18:52:43 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 173816662790520.101675150956794; Wed, 29 Jan 2025 08:03:47 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 2FDC7180F; Wed, 29 Jan 2025 11:03:46 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 954D1166C; Wed, 29 Jan 2025 11:03:20 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 45E9C1425; Wed, 29 Jan 2025 11:03:18 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 5E5E11360 for ; Wed, 29 Jan 2025 11:03:17 -0500 (EST) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-586-6mVOWq5YNGChLJ7jjqpe1g-1; Wed, 29 Jan 2025 11:03:15 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 435EC19560B1 for ; Wed, 29 Jan 2025 16:03:14 +0000 (UTC) Received: from ajulis-thinkpadt14gen4.remote.csb (unknown [10.43.2.183]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8B2F61800951 for ; Wed, 29 Jan 2025 16:03:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1738166597; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ix/5UiyXWzesB1xkoKn7TXH8a3XQfBiC96wzwm7jUKo=; b=INGo0MJPOrZ7ll83Xb5aVxWGcU5b1wiXSxo9XTUrmG/Gu8EE+7Sy4MEASWxxwDtvpS2SgB WDqPi22Y7dyCXKbHB5NQbrhWJEotFvK/RyfCQnp46nvR5g8vCc7dn/a9bxUEC1/maFfeNI uq1xTg2t0K3fhqZD9g5WPK7E2tP2fQ8= X-MC-Unique: 6mVOWq5YNGChLJ7jjqpe1g-1 X-Mimecast-MFC-AGG-ID: 6mVOWq5YNGChLJ7jjqpe1g From: Adam Julis To: devel@lists.libvirt.org Subject: [PATCH] glibcompat: Updating "backport" 'g_string_replace' Date: Wed, 29 Jan 2025 17:02:45 +0100 Message-ID: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: yDFe-qmip958VS2VZjV0OvGrkio5Uvu5aZSBU7o8zHA_1738166594 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: VZS4BTAHW5QXHFUKQDABFC3VM6TWNUJ7 X-Message-ID-Hash: VZS4BTAHW5QXHFUKQDABFC3VM6TWNUJ7 X-MailFrom: ajulis@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1738166789171019100 Content-Type: text/plain; charset="utf-8" Update the vir_g_string_replace with following commits from glib: c9e48947e gstring: Fix a heap buffer overflow in the new g_string_replace() code e8517e777 remove quadratic behavior in g_string_replace Signed-off-by: Adam Julis Reviewed-by: Michal Privoznik --- src/util/glibcompat.c | 125 +++++++++++++++++++++++++++++++++++------- 1 file changed, 105 insertions(+), 20 deletions(-) diff --git a/src/util/glibcompat.c b/src/util/glibcompat.c index bcb666992a..47e3edef13 100644 --- a/src/util/glibcompat.c +++ b/src/util/glibcompat.c @@ -65,7 +65,7 @@ =20 /** * Adapted (to pass syntax check) from 'g_string_replace' from - * glib-2.81.1. Drop once minimum glib is bumped to 2.68. + * glib-2.83.3. Drop once minimum glib is bumped to 2.68. * * g_string_replace: * @string: a #GString @@ -94,35 +94,120 @@ vir_g_string_replace(GString *string, const gchar *replace, guint limit) { - gsize f_len, r_len, pos; - gchar *cur, *next; - guint n =3D 0; + GString *new_string =3D NULL; + gsize f_len, r_len, new_len; + gchar *cur, *next, *first, *dst; + guint n; =20 g_return_val_if_fail(string !=3D NULL, 0); g_return_val_if_fail(find !=3D NULL, 0); g_return_val_if_fail(replace !=3D NULL, 0); =20 + first =3D strstr(string->str, find); + + if (first =3D=3D NULL) + return 0; + + new_len =3D string->len; f_len =3D strlen(find); r_len =3D strlen(replace); - cur =3D string->str; =20 - while ((next =3D strstr(cur, find)) !=3D NULL) { - pos =3D next - string->str; - g_string_erase(string, pos, f_len); - g_string_insert(string, pos, replace); - cur =3D string->str + pos + r_len; - n++; - /* Only match the empty string once at any given position, to - * avoid infinite loops */ - if (f_len =3D=3D 0) { - if (cur[0] =3D=3D '\0') - break; - else - cur++; + /* It removes a lot of branches and possibility for infinite loops if = we + * handle the case of an empty @find string separately. */ + if (G_UNLIKELY(f_len =3D=3D 0)) { + size_t i; + if (limit =3D=3D 0 || limit > string->len) { + if (string->len > G_MAXSIZE - 1) + g_error("inserting in every position in string would overf= low"); + + limit =3D string->len + 1; + } + + if (r_len > 0 && + (limit > G_MAXSIZE / r_len || + limit * r_len > G_MAXSIZE - string->len)) + g_error("inserting in every position in string would overflow"= ); + + new_len =3D string->len + limit * r_len; + new_string =3D g_string_sized_new(new_len); + for (i =3D 0; i < limit; i++) { + g_string_append_len(new_string, replace, r_len); + if (i < string->len) + g_string_append_c(new_string, string->str[i]); } - if (n =3D=3D limit) - break; + if (limit < string->len) + g_string_append_len(new_string, string->str + limit, string->l= en - limit); + + g_free(string->str); + string->allocated_len =3D new_string->allocated_len; + string->len =3D new_string->len; + string->str =3D g_string_free(g_steal_pointer(&new_string), FALSE); + + return limit; } + /* Potentially do two passes: the first to calculate the length of the= new string, + * new_len, if it=E2=80=99s going to be longer than the original strin= g; and the second to + * do the replacements. The first pass is skipped if the new string is= going to be + * no longer than the original. + * + * The second pass calls various g_string_insert_len() (and similar) m= ethods + * which would normally potentially reallocate string->str, and hence + * invalidate the cur/next/first/dst pointers. Because we=E2=80=99ve p= re-calculated + * the new_len and do all the string manipulations on new_string, that + * shouldn=E2=80=99t happen. This means we scan `string` while modifyi= ng + * `new_string`. */ + do { + dst =3D first; + cur =3D first; + n =3D 0; + while ((next =3D strstr(cur, find)) !=3D NULL) { + n++; + + if (r_len <=3D f_len) { + memmove(dst, cur, next - cur); + dst +=3D next - cur; + memcpy(dst, replace, r_len); + dst +=3D r_len; + } else { + if (new_string =3D=3D NULL) { + new_len +=3D r_len - f_len; + } else { + g_string_append_len(new_string, cur, next - cur); + g_string_append_len(new_string, replace, r_len); + } + } + cur =3D next + f_len; + + if (n =3D=3D limit) + break; + } + + /* Append the trailing characters from after the final instance of= @find + * in the input string. */ + if (r_len <=3D f_len) { + /* First pass skipped. */ + gchar *end =3D string->str + string->len; + memmove(dst, cur, end - cur); + end =3D dst + (end - cur); + *end =3D 0; + string->len =3D end - string->str; + break; + } else { + if (new_string =3D=3D NULL) { + /* First pass. */ + new_string =3D g_string_sized_new(new_len); + g_string_append_len(new_string, string->str, first - strin= g->str); + } else { + /* Second pass. */ + g_string_append_len(new_string, cur, (string->str + string= ->len) - cur); + g_free(string->str); + string->allocated_len =3D new_string->allocated_len; + string->len =3D new_string->len; + string->str =3D g_string_free(g_steal_pointer(&new_string)= , FALSE); + break; + } + } + } while (1); =20 return n; } --=20 2.47.1