From a63a2b26cf96d971285834423a03f6d37b8dd200 Mon Sep 17 00:00:00 2001
From: Emmanuele Bassi <ebassi@gnome.org>
Date: Thu, 4 Feb 2021 19:20:10 +0000
Subject: [PATCH] Ensure we don't overflow when using g_memdup2()

When we turn integers into size_t we should check we're not going to
make a mess.
---
 gtk/gtkcellareaboxcontext.c         | 10 ++++++++--
 gtk/inspector/gtktreemodelcssnode.c | 11 ++++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/gtk/gtkcellareaboxcontext.c b/gtk/gtkcellareaboxcontext.c
index 9ad1ba6e7c..fc50547b25 100644
--- a/gtk/gtkcellareaboxcontext.c
+++ b/gtk/gtkcellareaboxcontext.c
@@ -25,6 +25,9 @@
 #include "gtkcellareaboxcontextprivate.h"
 #include "gtkorientable.h"
 
+/* XXX: For g_memdup2() */
+#include "gtkprivate.h"
+
 /* GObjectClass */
 static void      _gtk_cell_area_box_context_finalize              (GObject               *object);
 
@@ -407,6 +410,7 @@ _gtk_cell_area_box_init_groups (GtkCellAreaBoxContext *box_context,
                                 gboolean              *align_groups)
 {
   GtkCellAreaBoxContextPrivate *priv;
+  gsize groups_size;
 
   g_return_if_fail (GTK_IS_CELL_AREA_BOX_CONTEXT (box_context));
   g_return_if_fail (n_groups == 0 || expand_groups != NULL);
@@ -420,11 +424,13 @@ _gtk_cell_area_box_init_groups (GtkCellAreaBoxContext *box_context,
   g_array_set_size (priv->base_widths,  n_groups);
   g_array_set_size (priv->base_heights, n_groups);
 
+  groups_size = n_groups * sizeof (gboolean);
+
   g_free (priv->expand);
-  priv->expand = g_memdup (expand_groups, n_groups * sizeof (gboolean));
+  priv->expand = g_memdup2 (expand_groups, groups_size);
 
   g_free (priv->align);
-  priv->align = g_memdup (align_groups, n_groups * sizeof (gboolean));
+  priv->align = g_memdup2 (align_groups, groups_size);
 }
 
 void
diff --git a/gtk/inspector/gtktreemodelcssnode.c b/gtk/inspector/gtktreemodelcssnode.c
index 2939e438cf..3580748e34 100644
--- a/gtk/inspector/gtktreemodelcssnode.c
+++ b/gtk/inspector/gtktreemodelcssnode.c
@@ -20,6 +20,10 @@
 #include "gtktreemodelcssnode.h"
 #include "gtk/gtkcsstransientnodeprivate.h"
 
+#if !GLIB_CHECK_VERSION (2, 67, 3)
+# define g_memdup2(mem,size)    g_memdup((mem), (size))
+#endif
+
 struct _GtkTreeModelCssNodePrivate
 {
   GtkTreeModelCssNodeGetFunc    get_func;
@@ -401,17 +405,22 @@ gtk_tree_model_css_node_newv (GtkTreeModelCssNodeGetFunc  get_func,
 {
   GtkTreeModelCssNode *result;
   GtkTreeModelCssNodePrivate *priv;
+  gsize columns_size;
 
   g_return_val_if_fail (get_func != NULL, NULL);
   g_return_val_if_fail (n_columns > 0, NULL);
+  g_return_val_if_fail (n_columns <= G_MAXSIZE / sizeof (GType), NULL);
   g_return_val_if_fail (types != NULL, NULL);
 
   result = g_object_new (GTK_TYPE_TREE_MODEL_CSS_NODE, NULL);
+
   priv = result->priv;
 
+  columns_size = n_columns * sizeof (GType);
+
   priv->get_func = get_func;
   priv->n_columns = n_columns;
-  priv->column_types = g_memdup (types, sizeof (GType) * n_columns);
+  priv->column_types = g_memdup2 (types, columns_size);
 
   return GTK_TREE_MODEL (result);
 }
-- 
2.30.2