meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Fri, 16 May 2025 13:52:37 +0800
Subject: [PATCH] headers: Be more robust against invalid input when
 parsing params

If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.

This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.

CVE: CVE-2024-52531
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 67905b2..39e8d34 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
 }
 
 static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
 {
+	char *quoted_string = quoted_gstring->str;
 	char *src, *dst;
 
 	src = quoted_string + 1;
@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
 }
 
 static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
 {
 	char *q, *decoded;
 	gboolean iso_8859_1 = FALSE;
+	const char *encoded_string = encoded_gstring->str;
 
 	q = strchr (encoded_string, '\'');
 	if (!q)
@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
 		decoded = utf8;
 	}
 
-	/* If encoded_string was UTF-8, then each 3-character %-escape
-	 * will be converted to a single byte, and so decoded is
-	 * shorter than encoded_string. If encoded_string was
-	 * iso-8859-1, then each 3-character %-escape will be
-	 * converted into at most 2 bytes in UTF-8, and so it's still
-	 * shorter.
-	 */
-	strcpy (encoded_string, decoded);
+	g_string_assign (encoded_gstring, decoded);
 	g_free (decoded);
 	return TRUE;
 }
@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
 {
 	GHashTable *params;
 	GSList *list, *iter;
-	char *item, *eq, *name_end, *value;
-	gboolean override, duplicated;
 
 	params = g_hash_table_new_full (soup_str_case_hash, 
 					soup_str_case_equal,
-					g_free, NULL);
+					g_free, g_free);
 
 	list = parse_list (header, delim);
 	for (iter = list; iter; iter = iter->next) {
+ 		char *item, *eq, *name_end;
+		gboolean override, duplicated;
+		GString *parsed_value = NULL;
 		item = iter->data;
 		override = FALSE;
 
@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
 
 			*name_end = '\0';
 
-			value = (char *)skip_lws (eq + 1);
+			parsed_value = g_string_new ((char *)skip_lws (eq + 1));
 
 			if (name_end[-1] == '*' && name_end > item + 1) {
 				name_end[-1] = '\0';
-				if (!decode_rfc5987 (value)) {
+				if (!decode_rfc5987_inplace (parsed_value)) {
+					g_string_free (parsed_value, TRUE);
 					g_free (item);
 					continue;
 				}
 				override = TRUE;
-			} else if (*value == '"')
-				decode_quoted_string (value);
-		} else
-			value = NULL;
+			} else if (parsed_value->str[0] == '"')
+				decode_quoted_string_inplace (parsed_value);
+			}
 
 		duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
 
@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
 			soup_header_free_param_list (params);
 			params = NULL;
 			g_slist_foreach (iter, (GFunc)g_free, NULL);
+			if (parsed_value)
+				g_string_free (parsed_value, TRUE);
 			break;
-		} else if (override || !duplicated)
-			g_hash_table_replace (params, item, value);
-		else
+		} else if (override || !duplicated) {
+			g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+		} else {
+			if (parsed_value)
+				g_string_free (parsed_value, TRUE);
 			g_free (item);
+		}
 	}
 
 	g_slist_free (list);
-- 
2.34.1