summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch
blob: c9fbdbacc88636b940c07d4d8aa6ac12dbae39a8 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

From 3844026f74a41dd9ccab955899e005995293d246 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Tue, 8 Jul 2025 14:58:30 +0800
Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing

Reject date/time when it does not represent a valid value.

Closes #448

CVE: CVE-2025-4945
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 libsoup/soup-date.c  | 21 +++++++++++++++------
 tests/cookies-test.c | 10 ++++++++++
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c
index 9602d1f..4c114c1 100644
--- a/libsoup/soup-date.c
+++ b/libsoup/soup-date.c
@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string)
 	while (*end == ' ' || *end == '-')
 		end++;
 	*date_string = end;
-	return TRUE;
+	return date->day >= 1 && date->day <= 31;
 }
 
 static inline gboolean
@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string)
 	while (*end == ' ' || *end == '-')
 		end++;
 	*date_string = end;
-	return TRUE;
+	return date->year > 0 && date->year < 9999;
 }
 
 static inline gboolean
@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string)
 	while (*p == ' ')
 		p++;
 	*date_string = p;
-	return TRUE;
+	return  date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60;
 }
 
 static inline gboolean
@@ -361,8 +361,15 @@ parse_timezone (SoupDate *date, const char **date_string)
 		gulong val;
 		int sign = (**date_string == '+') ? -1 : 1;
 		val = strtoul (*date_string + 1, (char **)date_string, 10);
+		if (val > 9999)
+			return FALSE;
 		if (**date_string == ':')
-			val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+		{
+			gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+			if (val > 99 || val2 > 99)
+				return FALSE;
+			val = 60 * val + val2;
+		}
 		else
 			val =  60 * (val / 100) + (val % 100);
 		date->offset = sign * val;
@@ -407,7 +414,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
 		if (!parse_month (date, &date_string) ||
 		    !parse_day (date, &date_string) ||
 		    !parse_time (date, &date_string) ||
-		    !parse_year (date, &date_string))
+		    !parse_year (date, &date_string) ||
+		    !g_date_valid_dmy(date->day, date->month, date->year))
 			return FALSE;
 
 		/* There shouldn't be a timezone, but check anyway */
@@ -419,7 +427,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
 		if (!parse_day (date, &date_string) ||
 		    !parse_month (date, &date_string) ||
 		    !parse_year (date, &date_string) ||
-		    !parse_time (date, &date_string))
+		    !parse_time (date, &date_string) ||
+		    !g_date_valid_dmy(date->day, date->month, date->year))
 			return FALSE;
 
 		/* This time there *should* be a timezone, but we
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index 2e2a54f..6035a86 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -413,6 +413,15 @@ do_remove_feature_test (void)
 	soup_uri_free (uri);
 }
 
+static void
+do_cookies_parsing_int32_overflow (void)
+{
+	SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
+	g_assert_nonnull (cookie);
+	g_assert_null (soup_cookie_get_expires (cookie));
+	soup_cookie_free (cookie);
+}
+
 int
 main (int argc, char **argv)
 {
@@ -434,6 +443,7 @@ main (int argc, char **argv)
 	g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
 	g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
 	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
 	g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);
 	g_test_add_func ("/cookies/remove-feature", do_remove_feature_test);
 	g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test);
-- 
2.34.1
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-21 04:38:39 +0000