From 3752760c5091eaed561ec11636b069e529533514 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 7 Jul 2025 20:57:41 +0200
Subject: [PATCH] gstring: Improve g_string_append_len_inline checks

Use the same style for the G_LIKELY check here as in g_string_sized_new.
The check could overflow on 32 bit systems.

Also improve the memcpy/memmove check to use memcpy if val itself is
adjacent to end + len_unsigned, which means that no overlapping exists.

CVE: CVE-2025-6052
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/3752760c5091eaed561ec11636b069e529533514]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 glib/gstring.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/glib/gstring.h b/glib/gstring.h
index e817176c9..c5e64b33a 100644
--- a/glib/gstring.h
+++ b/glib/gstring.h
@@ -232,10 +232,10 @@ g_string_append_len_inline (GString    *gstring,
   else
     len_unsigned = (gsize) len;
 
-  if (G_LIKELY (gstring->len + len_unsigned < gstring->allocated_len))
+  if (G_LIKELY (len_unsigned < gstring->allocated_len - gstring->len))
     {
       char *end = gstring->str + gstring->len;
-      if (G_LIKELY (val + len_unsigned <= end || val > end + len_unsigned))
+      if (G_LIKELY (val + len_unsigned <= end || val >= end + len_unsigned))
         memcpy (end, val, len_unsigned);
       else
         memmove (end, val, len_unsigned);
