libsoup/libsoup-CVE-2025-32051.patch

From 0713ba4a719da938dc8facc89fca99cd0aa3069f Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Sat, 16 Nov 2024 11:50:09 -0600
Subject: [PATCH] Fix possible NULL deref in soup_uri_decode_data_uri

---
 libsoup/soup-uri-utils.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 4e76b74d..9dab5d65 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri,
 
         uri_string = g_uri_to_string (soup_uri);
         g_uri_unref (soup_uri);
+        if (!uri_string)
+                return NULL;
 
         start = uri_string + 5;
         comma = strchr (start, ',');
-- 
From 79cfd65c9bd8024cd45dd725c284766329873709 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 22 Nov 2024 13:39:51 -0600
Subject: [PATCH] soup_uri_decode_data_uri(): Handle URIs with a path starting
 with //

---
 libsoup/soup-uri-utils.c | 8 ++++++++
 tests/uri-parsing-test.c | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 9dab5d65..f61e7656 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,
         gboolean base64 = FALSE;
         char *uri_string;
         GBytes *bytes;
+        const char *path;
 
         g_return_val_if_fail (uri != NULL, NULL);
 
@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,
         if (content_type)
                 *content_type = NULL;
 
+        /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
+        path = g_uri_get_path (soup_uri);
+        if (path[0] == '/' && path[1] == '/') {
+                g_uri_unref (soup_uri);
+                return NULL;
+        }
+
         uri_string = g_uri_to_string (soup_uri);
         g_uri_unref (soup_uri);
         if (!uri_string)
diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c
index 1f16273d..418391eb 100644
--- a/tests/uri-parsing-test.c
+++ b/tests/uri-parsing-test.c
@@ -141,6 +141,8 @@ static struct {
         { "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },
         { "data:text/plain;base64,invalid=", "", "text/plain" },
         { "data:,", "", CONTENT_TYPE_DEFAULT },
+        { "data:.///", NULL, NULL },
+        { "data:/.//", NULL, NULL },
 };
 
 static void
-- 
2.49.0
Sync from SUSE:ALP:Source:Standard:1.0 libsoup revision f6c6d2ea61ee6b48a9b31655e6ccfddd 2025-05-29 11:15:05 +02:00			`From 0713ba4a719da938dc8facc89fca99cd0aa3069f Mon Sep 17 00:00:00 2001`
			`From: Ar Jun <pkillarjun@protonmail.com>`
			`Date: Sat, 16 Nov 2024 11:50:09 -0600`
			`Subject: [PATCH] Fix possible NULL deref in soup_uri_decode_data_uri`

			`---`
			`libsoup/soup-uri-utils.c \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c`
			`index 4e76b74d..9dab5d65 100644`
			`--- a/libsoup/soup-uri-utils.c`
			`+++ b/libsoup/soup-uri-utils.c`
			`@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri,`

			`uri_string = g_uri_to_string (soup_uri);`
			`g_uri_unref (soup_uri);`
			`+ if (!uri_string)`
			`+ return NULL;`

			`start = uri_string + 5;`
			`comma = strchr (start, ',');`
			`--`
			`From 79cfd65c9bd8024cd45dd725c284766329873709 Mon Sep 17 00:00:00 2001`
			`From: Patrick Griffis <pgriffis@igalia.com>`
			`Date: Fri, 22 Nov 2024 13:39:51 -0600`
			`Subject: [PATCH] soup_uri_decode_data_uri(): Handle URIs with a path starting`
			`with //`

			`---`
			`libsoup/soup-uri-utils.c \| 8 ++++++++`
			`tests/uri-parsing-test.c \| 2 ++`
			`2 files changed, 10 insertions(+)`

			`diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c`
			`index 9dab5d65..f61e7656 100644`
			`--- a/libsoup/soup-uri-utils.c`
			`+++ b/libsoup/soup-uri-utils.c`
			`@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,`
			`gboolean base64 = FALSE;`
			`char *uri_string;`
			`GBytes *bytes;`
			`+ const char *path;`

			`g_return_val_if_fail (uri != NULL, NULL);`

			`@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,`
			`if (content_type)`
			`*content_type = NULL;`

			+ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
			`+ path = g_uri_get_path (soup_uri);`
			`+ if (path[0] == '/' && path[1] == '/') {`
			`+ g_uri_unref (soup_uri);`
			`+ return NULL;`
			`+ }`
			`+`
			`uri_string = g_uri_to_string (soup_uri);`
			`g_uri_unref (soup_uri);`
			`if (!uri_string)`
			`diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c`
			`index 1f16273d..418391eb 100644`
			`--- a/tests/uri-parsing-test.c`
			`+++ b/tests/uri-parsing-test.c`
			`@@ -141,6 +141,8 @@ static struct {`
			`{ "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },`
			`{ "data:text/plain;base64,invalid=", "", "text/plain" },`
			`{ "data:,", "", CONTENT_TYPE_DEFAULT },`
			`+ { "data:.///", NULL, NULL },`
			`+ { "data:/.//", NULL, NULL },`
			`};`

			`static void`
			`--`
			`2.49.0`