| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- From a7d0c58608ed830bedfb6b92aea11e00feb55aa9 Mon Sep 17 00:00:00 2001
- From: Milan Crha <mcrha@redhat.com>
- Date: Mon, 19 May 2025 17:48:27 +0200
- Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
- members
- The boundary could be at a place which, calculated, pointed
- before the beginning of the array. Check the bounds, to avoid
- read out of the array bounds.
- Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
- CVE: CVE-2025-4969
- Upstream-Status: Backport
- [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467/diffs?commit_id=b5b4dd10d4810f0c87b4eaffe88504f06e502f33]
- Upstream: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch
- Signed-off-by: Changqing Li <changqing.li@windriver.com>
- Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
- ---
- libsoup/soup-multipart.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
- index ce2fc10..a29cdf0 100644
- --- a/libsoup/soup-multipart.c
- +++ b/libsoup/soup-multipart.c
- @@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end,
- continue;
-
- /* Check that it's at start of line */
- - if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
- + if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
- continue;
-
- /* Check for "--" or "\r\n" after boundary */
- --
- 2.34.1
|
