uriparser/CVE-2024-34402.patch

From 760ade2947415dbb100053cf793c2f96fe257386 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 28 Apr 2024 21:26:45 +0200
Subject: [PATCH] Protect against integer overflow in ComposeQueryEngine

Requires string input that is longer than INT_MAX to exploit.
---
 src/UriQuery.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/UriQuery.c b/src/UriQuery.c
index b2734bc2..29c6f473 100644
--- a/src/UriQuery.c
+++ b/src/UriQuery.c
@@ -70,6 +70,7 @@
 
 
 #include <limits.h>
+#include <stddef.h> /* size_t */
 
 
 
@@ -218,16 +219,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
 		const URI_CHAR * const key = queryList->key;
 		const URI_CHAR * const value = queryList->value;
 		const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
-		const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
+		const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key);
 		int keyRequiredChars;
-		const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
+		const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value);
 		int valueRequiredChars;
 
-		if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
+		if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) {
 			return URI_ERROR_OUTPUT_TOO_LARGE;
 		}
-		keyRequiredChars = worstCase * keyLen;
-		valueRequiredChars = worstCase * valueLen;
+		keyRequiredChars = worstCase * (int)keyLen;
+		valueRequiredChars = worstCase * (int)valueLen;
 
 		if (dest == NULL) {
 			(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)
Sync from SUSE:ALP:Source:Standard:1.0 uriparser revision 40960d33d7fa9b612b1dbc30e6fe983b 2024-11-28 14:25:33 +01:00			`From 760ade2947415dbb100053cf793c2f96fe257386 Mon Sep 17 00:00:00 2001`
			`From: Sebastian Pipping <sebastian@pipping.org>`
			`Date: Sun, 28 Apr 2024 21:26:45 +0200`
			`Subject: [PATCH] Protect against integer overflow in ComposeQueryEngine`

			`Requires string input that is longer than INT_MAX to exploit.`
			`---`
			`src/UriQuery.c \| 11 ++++++-----`
			`1 file changed, 6 insertions(+), 5 deletions(-)`

			`diff --git a/src/UriQuery.c b/src/UriQuery.c`
			`index b2734bc2..29c6f473 100644`
			`--- a/src/UriQuery.c`
			`+++ b/src/UriQuery.c`
			`@@ -70,6 +70,7 @@`


			`#include <limits.h>`
			`+#include <stddef.h> /* size_t */`



			`@@ -218,16 +219,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,`
			`const URI_CHAR * const key = queryList->key;`
			`const URI_CHAR * const value = queryList->value;`
			`const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);`
			`- const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);`
			`+ const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key);`
			`int keyRequiredChars;`
			`- const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);`
			`+ const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value);`
			`int valueRequiredChars;`

			`- if ((keyLen >= INT_MAX / worstCase) \|\| (valueLen >= INT_MAX / worstCase)) {`
			`+ if ((keyLen >= (size_t)INT_MAX / worstCase) \|\| (valueLen >= (size_t)INT_MAX / worstCase)) {`
			`return URI_ERROR_OUTPUT_TOO_LARGE;`
			`}`
			`- keyRequiredChars = worstCase * keyLen;`
			`- valueRequiredChars = worstCase * valueLen;`
			`+ keyRequiredChars = worstCase * (int)keyLen;`
			`+ valueRequiredChars = worstCase * (int)valueLen;`

			`if (dest == NULL) {`
			`(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)`