| 123456789101112131415161718192021222324252627282930313233343536373839404142 |
- From d9bcffd6cd5e8ec32889a594f7348d67a5101b3a Mon Sep 17 00:00:00 2001
- From: Changqing Li <changqing.li@windriver.com>
- Date: Mon, 12 May 2025 13:58:42 +0800
- Subject: [PATCH] Fix heap buffer overflow in
- soup-content-sniffer.c:sniff_feed_or_html()
- CVE: CVE-2025-32053
- Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a]
- Upstream: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch
- Signed-off-by: Changqing Li <changqing.li@windriver.com>
- Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
- ---
- libsoup/soup-content-sniffer.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
- diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
- index 967ec61..5f2896e 100644
- --- a/libsoup/soup-content-sniffer.c
- +++ b/libsoup/soup-content-sniffer.c
- @@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
- (resource[*pos] == '\x0D')) {
- *pos = *pos + 1;
-
- - if (*pos > resource_length)
- + if (*pos >= resource_length)
- return TRUE;
- }
-
- @@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
- do {
- pos++;
-
- - if (pos > resource_length)
- + if ((pos + 1) > resource_length)
- goto text_html;
- } while (resource[pos] != '>');
-
- --
- 2.34.1
|
