Fedora Account System
Red Hat Associate
Red Hat Customer
A heap-buffer-overflow READ vulnerability exists in GLib's g_regex_replace() function when used with G_REGEX_RAW compile flag and case-change replacement escapes (\U, \L, \u, \l). In G_REGEX_RAW mode, PCRE2 treats the subject string as raw bytes rather than UTF-8. Matched substrings can therefore contain arbitrary byte sequences that are not valid UTF-8. When the replacement string contains case-change escapes (e.g., \U\0 to uppercase the match), the internal string_append() function processes the matched substring using UTF-8 functions (g_utf8_get_char(), g_utf8_next_char()) which assume valid UTF-8 input. A multi-byte UTF-8 lead byte (e.g., 0xF4 indicating a 4-byte sequence) in the matched data causes these functions to read beyond the heap-allocated buffer.