File libsoup2-CVE-2026-0716.patch of Package libsoup2

Index: libsoup-2.74.3/libsoup/soup-websocket-connection.c
===================================================================
--- libsoup-2.74.3.orig/libsoup/soup-websocket-connection.c
+++ libsoup-2.74.3/libsoup/soup-websocket-connection.c
@@ -1074,6 +1074,12 @@ process_frame (SoupWebsocketConnection *
 
 	payload = header + at;
 
+	/* at has a maximum value of 10 + 4 = 14 */
+	if (payload_len > G_MAXSIZE - 14) {
+		bad_data_error_and_close (self);
+		return FALSE;
+	}
+
 	if (masked) {
 		mask = header + at;
 		payload += 4;
Index: libsoup-2.74.3/tests/websocket-test.c
===================================================================
--- libsoup-2.74.3.orig/tests/websocket-test.c
+++ libsoup-2.74.3/tests/websocket-test.c
@@ -1865,6 +1865,88 @@ test_cookies_in_response (Test *test,
         soup_cookie_free (cookie);
 }
 
+static void
+test_bad_length_masked (Test *test,
+                    gconstpointer unused)
+{
+	GError *error = NULL;
+	GIOStream *io;
+	gsize written;
+	const char *frame;
+	gboolean close_event = FALSE;
+
+	g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
+	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
+	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
+
+	io = soup_websocket_connection_get_io_stream (test->client);
+
+	soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
+
+	/* Malicious masked frame header (10-byte header + 4-byte mask) */
+	frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
+	if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
+					frame, 14, &written, NULL, NULL))
+		g_assert_cmpstr ("This code", ==, "should not be reached");
+	g_assert_cmpuint (written, ==, 14);
+
+	WAIT_UNTIL (error != NULL);
+	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+	g_clear_error (&error);
+
+	WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
+	g_assert_true (close_event);
+
+	g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+}
+
+static gpointer
+send_bad_length_frame_server_thread (gpointer user_data)
+{
+	Test *test = user_data;
+	const char frame[] = "\x82\x7f\xff\xff\xff\xff\xff\xff\xff\xf6";
+	gsize written;
+	GError *error = NULL;
+
+	g_output_stream_write_all (g_io_stream_get_output_stream (test->raw_server),
+				   frame, sizeof (frame), &written, NULL, &error);
+	g_assert_no_error (error);
+	g_assert_cmpuint (written, ==, sizeof (frame));
+
+	g_io_stream_close (test->raw_server, NULL, &error);
+	g_assert_no_error (error);
+
+	return NULL;
+}
+
+static void
+test_bad_length_unmasked (Test *test,
+                    gconstpointer unused)
+{
+	GThread *thread;
+	GBytes *received = NULL;
+	GError *error = NULL;
+
+	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+
+	soup_websocket_connection_set_max_incoming_payload_size (test->client, 0);
+
+	thread = g_thread_new ("send-bad-length-frame-thread", send_bad_length_frame_server_thread, test);
+
+	WAIT_UNTIL (error != NULL || received != NULL);
+	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+	g_clear_error (&error);
+	g_assert_null (received);
+
+	/* it can emit more errors while joining the thread, thus disconnect, to avoid memory leak */
+	g_signal_handlers_disconnect_by_func (test->client, G_CALLBACK (on_error_copy), &error);
+
+        g_thread_join (thread);
+
+	WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
+}
+
 int
 main (int argc,
       char *argv[])
@@ -2098,6 +2180,19 @@ main (int argc,
                     test_cookies_in_response,
                     teardown_soup_connection);
 
+	g_test_add ("/websocket/direct/bad-length-masked", Test, NULL,
+		    setup_direct_connection,
+		    test_bad_length_masked,
+		    teardown_direct_connection);
+	g_test_add ("/websocket/soup/bad-length-masked", Test, NULL,
+		    setup_soup_connection,
+		    test_bad_length_masked,
+		    teardown_soup_connection);
+	g_test_add ("/websocket/direct/bad-length-unmasked", Test, NULL,
+		    setup_half_direct_connection,
+		    test_bad_length_unmasked,
+		    teardown_direct_connection);
+
 	ret = g_test_run ();
 
 	test_cleanup ();