File tomcat-9.0.36-CVE-2025-52520.patch of Package tomcat.40071

Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/connector/Request.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/connector/Request.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/connector/Request.java
@@ -2893,11 +2893,10 @@ public class Request implements HttpServ
                 List<FileItem> items =
                         upload.parseRequest(new ServletRequestContext(this));
                 int maxPostSize = getConnector().getMaxPostSize();
-                int postSize = 0;
+                long postSize = 0;
                 Charset charset = getCharset();
                 for (FileItem item : items) {
                     ApplicationPart part = new ApplicationPart(item, location);
-                    parts.add(part);
                     if (part.getSubmittedFileName() == null) {
                         String name = part.getName();
                         String value = null;
@@ -2909,15 +2908,16 @@ public class Request implements HttpServ
                         if (maxPostSize >= 0) {
                             // Have to calculate equivalent size. Not completely
                             // accurate but close enough.
-                            postSize += name.getBytes(charset).length;
+                            // Name
+                            postSize = Math.addExact(postSize, name.getBytes(charset).length);
                             if (value != null) {
                                 // Equals sign
-                                postSize++;
+                                postSize = Math.addExact(postSize, 1);
                                 // Value length
-                                postSize += part.getSize();
+                                postSize = Math.addExact(postSize, part.getSize());
                             }
                             // Value separator
-                            postSize++;
+                            postSize = Math.addExact(postSize, 1);
                             if (postSize > maxPostSize) {
                                 parameters.setParseFailedReason(FailReason.POST_TOO_LARGE);
                                 throw new IllegalStateException(sm.getString(
@@ -2926,6 +2926,7 @@ public class Request implements HttpServ
                         }
                         parameters.addParameter(name, value);
                     }
+                    parts.add(part);
                 }
 
                 success = true;
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -147,6 +147,10 @@
         Expand the path checks for Pre-Resources and Post-Resources mounted at a
         path within the web application. (markt)
       </fix>
+      <fix>
+        Align size tracking for multipart requests with FileUpload's use of
+        <code>long</code>. (schultz)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">