--- /dev/null
+From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:53:26 -0500
+Subject: [PATCH 1/2] headers: Be more robust against invalid input when
+ parsing params
+
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-1.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283]
+CVE: CVE-2024-52531
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+
+Index: libsoup2.4-2.74.2/libsoup/soup-headers.c
+===================================================================
+--- libsoup2.4-2.74.2.orig/libsoup/soup-headers.c
++++ libsoup2.4-2.74.2/libsoup/soup-headers.c
+@@ -643,8 +643,9 @@ soup_header_contains (const char *header
+ }
+
+ static void
+-decode_quoted_string (char *quoted_string)
++decode_quoted_string_inplace (GString *quoted_gstring)
+ {
++ char *quoted_string = quoted_gstring->str;
+ char *src, *dst;
+
+ src = quoted_string + 1;
+@@ -658,10 +659,11 @@ decode_quoted_string (char *quoted_strin
+ }
+
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
++decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+ char *q, *decoded;
+ gboolean iso_8859_1 = FALSE;
++ const char *encoded_string = encoded_gstring->str;
+
+ q = strchr (encoded_string, '\'');
+ if (!q)
+@@ -690,14 +692,7 @@ decode_rfc5987 (char *encoded_string)
+ decoded = utf8;
+ }
+
+- /* If encoded_string was UTF-8, then each 3-character %-escape
+- * will be converted to a single byte, and so decoded is
+- * shorter than encoded_string. If encoded_string was
+- * iso-8859-1, then each 3-character %-escape will be
+- * converted into at most 2 bytes in UTF-8, and so it's still
+- * shorter.
+- */
+- strcpy (encoded_string, decoded);
++ g_string_assign (encoded_gstring, decoded);
+ g_free (decoded);
+ return TRUE;
+ }
+@@ -707,15 +702,17 @@ parse_param_list (const char *header, ch
+ {
+ GHashTable *params;
+ GSList *list, *iter;
+- char *item, *eq, *name_end, *value;
+- gboolean override, duplicated;
+
+ params = g_hash_table_new_full (soup_str_case_hash,
+ soup_str_case_equal,
+- g_free, NULL);
++ g_free, g_free);
+
+ list = parse_list (header, delim);
+ for (iter = list; iter; iter = iter->next) {
++ char *item, *eq, *name_end;
++ gboolean override, duplicated;
++ GString *parsed_value = NULL;
++
+ item = iter->data;
+ override = FALSE;
+
+@@ -730,19 +727,19 @@ parse_param_list (const char *header, ch
+
+ *name_end = '\0';
+
+- value = (char *)skip_lws (eq + 1);
++ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+
+ if (name_end[-1] == '*' && name_end > item + 1) {
+ name_end[-1] = '\0';
+- if (!decode_rfc5987 (value)) {
++ if (!decode_rfc5987_inplace (parsed_value)) {
++ g_string_free (parsed_value, TRUE);
+ g_free (item);
+ continue;
+ }
+ override = TRUE;
+- } else if (*value == '"')
+- decode_quoted_string (value);
+- } else
+- value = NULL;
++ } else if (parsed_value->str[0] == '"')
++ decode_quoted_string_inplace (parsed_value);
++ }
+
+ duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+
+@@ -750,11 +747,16 @@ parse_param_list (const char *header, ch
+ soup_header_free_param_list (params);
+ params = NULL;
+ g_slist_foreach (iter, (GFunc)g_free, NULL);
++ if (parsed_value)
++ g_string_free (parsed_value, TRUE);
+ break;
+- } else if (override || !duplicated)
+- g_hash_table_replace (params, item, value);
+- else
++ } else if (override || !duplicated) {
++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
++ } else {
++ if (parsed_value)
++ g_string_free (parsed_value, TRUE);
+ g_free (item);
++ }
+ }
+
+ g_slist_free (list);
--- /dev/null
+From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:52:08 -0500
+Subject: [PATCH 2/2] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-2.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe]
+CVE: CVE-2024-52531
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+Index: libsoup2.4-2.74.2/tests/header-parsing-test.c
+===================================================================
+--- libsoup2.4-2.74.2.orig/tests/header-parsing-test.c
++++ libsoup2.4-2.74.2/tests/header-parsing-test.c
+@@ -825,6 +825,17 @@ static struct ParamListTest {
+ { "filename", "t\xC3\xA9st.txt" },
+ },
+ },
++
++ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
++ { TRUE,
++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
++ {
++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++ { "foo", NULL },
++
++ },
++ }
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
