File libsoup-CVE-2025-2784.patch of Package libsoup.38914
Backport of 242a10fb and c415ad0b
--
diff -urp libsoup-3.0.4.orig/libsoup/content-sniffer/soup-content-sniffer.c libsoup-3.0.4/libsoup/content-sniffer/soup-content-sniffer.c
--- libsoup-3.0.4.orig/libsoup/content-sniffer/soup-content-sniffer.c 2025-04-18 12:58:37.448159697 -0500
+++ libsoup-3.0.4/libsoup/content-sniffer/soup-content-sniffer.c 2025-04-18 12:58:38.247474644 -0500
@@ -635,8 +635,11 @@ sniff_text_or_binary (SoupContentSniffer
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
+
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -656,7 +659,7 @@ sniff_feed_or_html (SoupContentSniffer *
gsize resource_length;
const char *resource = g_bytes_get_data (buffer, &resource_length);
resource_length = MIN (512, resource_length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -666,9 +669,6 @@ sniff_feed_or_html (SoupContentSniffer *
pos = 3;
look_for_tag:
- if (pos > resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
diff -urp libsoup-3.0.4.orig/tests/meson.build libsoup-3.0.4/tests/meson.build
--- libsoup-3.0.4.orig/tests/meson.build 2022-01-05 20:48:16.223508000 -0600
+++ libsoup-3.0.4/tests/meson.build 2025-04-18 13:00:18.983495310 -0500
@@ -90,7 +90,9 @@ tests = [
{'name': 'session'},
{'name': 'server-auth'},
{'name': 'server'},
- {'name': 'sniffing'},
+ {'name': 'sniffing',
+ 'depends': [test_resources],
+ },
{'name': 'socket'},
{'name': 'ssl',
'dependencies': [gnutls_dep],
diff -urp libsoup-3.0.4.orig/tests/sniffing-test.c libsoup-3.0.4/tests/sniffing-test.c
--- libsoup-3.0.4.orig/tests/sniffing-test.c 2022-01-05 20:48:16.229507700 -0600
+++ libsoup-3.0.4/tests/sniffing-test.c 2025-04-18 12:58:38.247829155 -0500
@@ -342,6 +342,52 @@ test_disabled (gconstpointer data)
g_uri_unref (uri);
}
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
+
+static void
+do_skip_whitespace_test (void)
+{
+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
+ const char *test_cases[] = {
+ "",
+ "<rdf:RDF",
+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
+ };
+
+ soup_message_headers_set_content_type (soup_message_get_response_headers (msg), "text/html", NULL);
+
+ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
+ const char *trailing_data = test_cases[i];
+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
+ guint8 *data = g_malloc0 (testsize);
+ guint8 *p = data;
+ char *content_type;
+ GBytes *buffer;
+
+ // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
+ memcpy (p, "<!--", strlen ("<!--"));
+ p += strlen ("<!--");
+ p += leading_zeros;
+ memcpy (p, "-->", strlen ("-->"));
+ p += strlen ("-->");
+ if (strlen (trailing_data))
+ memcpy (p, trailing_data, strlen (trailing_data));
+ // Purposefully not NUL terminated.
+
+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
+ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
+
+ g_free (content_type);
+ g_bytes_unref (buffer);
+ }
+
+ g_object_unref (msg);
+ g_object_unref (sniffer);
+}
+
int
main (int argc, char **argv)
{
@@ -517,6 +563,8 @@ main (int argc, char **argv)
"/text_or_binary/home.gif",
test_disabled);
+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
+
ret = g_test_run ();
g_uri_unref (base_uri);
