summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeonah Moon <seonah1.moon@samsung.com>2018-06-18 11:36:46 +0900
committerSeonah Moon <seonah1.moon@samsung.com>2018-06-18 13:15:11 +0900
commitf12dfb9a8b56572461e3a0a54db3fa6296ae3021 (patch)
tree8dcea58a2182cd6b13250bb376a927f1051ded74
parent36d6ca55e5e8727b0e586b5aee564bb17fa2a920 (diff)
downloadlibsoup-accepted/tizen/unified/20180619.141853.tar.gz
libsoup-accepted/tizen/unified/20180619.141853.tar.bz2
libsoup-accepted/tizen/unified/20180619.141853.zip
Fix chunked decoding buffer overrun (CVE-2017-2885)submit/tizen/20180618.083141accepted/tizen/unified/20180619.141853
https://bugzilla.gnome.org/show_bug.cgi?id=785774 Change-Id: Ifc0acb59c638fec66993969230994c20dfbcd803
-rw-r--r--libsoup/soup-filter-input-stream.c22
1 files changed, 11 insertions, 11 deletions
diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
index 8067b882..deeee76c 100644
--- a/libsoup/soup-filter-input-stream.c
+++ b/libsoup/soup-filter-input-stream.c
@@ -201,7 +201,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream,
GCancellable *cancellable,
GError **error)
{
- gssize nread;
+ gssize nread, read_length;
guint8 *p, *buf, *end;
gboolean eof = FALSE;
GError *my_error = NULL;
@@ -254,10 +254,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream,
} else
buf = fstream->priv->buf->data;
- /* Scan for the boundary */
- end = buf + fstream->priv->buf->len;
- if (!eof)
- end -= boundary_length;
+ /* Scan for the boundary within the range we can possibly return. */
+ if (include_boundary)
+ end = buf + MIN (fstream->priv->buf->len, length) - boundary_length;
+ else
+ end = buf + MIN (fstream->priv->buf->len - boundary_length, length);
for (p = buf; p <= end; p++) {
if (*p == *(guint8*)boundary &&
!memcmp (p, boundary, boundary_length)) {
@@ -271,10 +272,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream,
if (!*got_boundary && fstream->priv->buf->len < length && !eof)
goto fill_buffer;
- /* Return everything up to 'p' (which is either just after the boundary if
- * include_boundary is TRUE, just before the boundary if include_boundary is
- * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of-
- * file).
- */
- return read_from_buf (fstream, buffer, p - buf);
+ if (eof && !*got_boundary)
+ read_length = MIN (fstream->priv->buf->len, length);
+ else
+ read_length = p - buf;
+ return read_from_buf (fstream, buffer, read_length);
}