|
| 1 | +From 9045f1ae252a5bbda8b51335c81aca009c753838 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Milan Crha < [email protected]> |
| 3 | +Date: Thu, 15 May 2025 17:49:11 +0200 |
| 4 | +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body |
| 5 | + |
| 6 | +It could happen that the boundary started at a place which resulted into |
| 7 | +a negative number, which in an unsigned integer is a very large value. |
| 8 | +Check the body size is not a negative value before setting it. |
| 9 | + |
| 10 | +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 |
| 11 | + |
| 12 | +Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463> |
| 13 | +--- |
| 14 | + libsoup/soup-multipart.c | 2 +- |
| 15 | + tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++ |
| 16 | + 2 files changed, 41 insertions(+), 1 deletion(-) |
| 17 | + |
| 18 | +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c |
| 19 | +index 102ce37..a587fe7 100644 |
| 20 | +--- a/libsoup/soup-multipart.c |
| 21 | ++++ b/libsoup/soup-multipart.c |
| 22 | +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, |
| 23 | + */ |
| 24 | + part_body = g_bytes_new_from_bytes (body, // FIXME |
| 25 | + split - body_data, |
| 26 | +- end - 2 - split); |
| 27 | ++ end - 2 >= split ? end - 2 - split : 0); |
| 28 | + g_ptr_array_add (multipart->bodies, part_body); |
| 29 | + |
| 30 | + start = end; |
| 31 | +diff --git a/tests/multipart-test.c b/tests/multipart-test.c |
| 32 | +index ab5f41c..a3a0b36 100644 |
| 33 | +--- a/tests/multipart-test.c |
| 34 | ++++ b/tests/multipart-test.c |
| 35 | +@@ -527,6 +527,45 @@ test_multipart_bounds_bad (void) |
| 36 | + g_bytes_unref (bytes); |
| 37 | + } |
| 38 | + |
| 39 | ++static void |
| 40 | ++test_multipart_too_large (void) |
| 41 | ++{ |
| 42 | ++ const char *raw_body = |
| 43 | ++ "-------------------\r\n" |
| 44 | ++ "-\n" |
| 45 | ++ "Cont\"\r\n" |
| 46 | ++ "Content-Tynt----e:n\x8erQK\r\n" |
| 47 | ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" |
| 48 | ++ "Content-Typimag\x01/png--\\\n" |
| 49 | ++ "\r\n" |
| 50 | ++ "---:\n\r\n" |
| 51 | ++ "\r\n" |
| 52 | ++ "-------------------------------------\r\n" |
| 53 | ++ "---------\r\n" |
| 54 | ++ "----------------------"; |
| 55 | ++ GBytes *body; |
| 56 | ++ GHashTable *params; |
| 57 | ++ SoupMessageHeaders *headers; |
| 58 | ++ SoupMultipart *multipart; |
| 59 | ++ |
| 60 | ++ params = g_hash_table_new (g_str_hash, g_str_equal); |
| 61 | ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); |
| 62 | ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); |
| 63 | ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); |
| 64 | ++ g_hash_table_unref (params); |
| 65 | ++ |
| 66 | ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); |
| 67 | ++ multipart = soup_multipart_new_from_message (headers, body); |
| 68 | ++ soup_message_headers_unref (headers); |
| 69 | ++ g_bytes_unref (body); |
| 70 | ++ |
| 71 | ++ g_assert_nonnull (multipart); |
| 72 | ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); |
| 73 | ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); |
| 74 | ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); |
| 75 | ++ soup_multipart_free (multipart); |
| 76 | ++} |
| 77 | ++ |
| 78 | + int |
| 79 | + main (int argc, char **argv) |
| 80 | + { |
| 81 | +@@ -556,6 +595,7 @@ main (int argc, char **argv) |
| 82 | + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); |
| 83 | + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); |
| 84 | + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); |
| 85 | ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); |
| 86 | + |
| 87 | + ret = g_test_run (); |
| 88 | + |
| 89 | +-- |
| 90 | +2.45.4 |
| 91 | + |
0 commit comments