From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 12 May 2025 14:06:41 +0800 Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() CVE: CVE-2025-2784 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304; https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] Test code is not added since it uses some functions not defined in version 2.74. These tests are not used now, so just ignore them. Signed-off-by: Changqing Li --- libsoup/soup-content-sniffer.c | 9 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c index 5f2896e..9554636 100644 --- a/libsoup/soup-content-sniffer.c +++ b/libsoup/soup-content-sniffer.c @@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) } static gboolean -skip_insignificant_space (const char *resource, int *pos, int resource_length) +skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) { + if (*pos >= resource_length) + return TRUE; while ((resource[*pos] == '\x09') || (resource[*pos] == '\x20') || (resource[*pos] == '\x0A') || @@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) { const char *resource = (const char *)buffer->data; int resource_length = MIN (512, buffer->length); - int pos = 0; + gsize pos = 0; if (resource_length < 3) goto text_html; @@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) pos = 3; look_for_tag: - if (pos > resource_length) - goto text_html; - if (skip_insignificant_space (resource, &pos, resource_length)) goto text_html; -- 2.34.1