98 lines
3.5 KiB
Diff
98 lines
3.5 KiB
Diff
From 0a55f5ebde48cc3e488bff70215b22f103cc6077 Mon Sep 17 00:00:00 2001
|
|
From: Carlos Garcia Campos <cgarcia@igalia.com>
|
|
Date: Mon, 19 Jan 2026 15:14:58 +0100
|
|
Subject: [PATCH] multipart: check length of bytes read
|
|
soup_filter_input_stream_read_until()
|
|
|
|
We do make sure the read length is smaller than the buffer length when
|
|
the boundary is not found, but we should do the same when the boundary
|
|
is found.
|
|
|
|
Spotted in #YWH-PGM9867-149
|
|
Closes #493
|
|
---
|
|
libsoup/soup-filter-input-stream.c | 3 +-
|
|
tests/multipart-test.c | 46 ++++++++++++++++++++++++++++++
|
|
2 files changed, 48 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
|
|
index b1e616c7..22541aa0 100644
|
|
--- a/libsoup/soup-filter-input-stream.c
|
|
+++ b/libsoup/soup-filter-input-stream.c
|
|
@@ -337,6 +337,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream,
|
|
if (eof && !*got_boundary)
|
|
read_length = MIN (priv->buf->len, length);
|
|
else
|
|
- read_length = p - buf;
|
|
+ read_length = MIN ((gsize)(p - buf), length);
|
|
+
|
|
return read_from_buf (fstream, buffer, read_length);
|
|
}
|
|
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
|
|
index 92b673eb..0496a4c6 100644
|
|
--- a/tests/multipart-test.c
|
|
+++ b/tests/multipart-test.c
|
|
@@ -527,6 +527,51 @@ test_multipart_bounds_bad (void)
|
|
g_bytes_unref (bytes);
|
|
}
|
|
|
|
+static void
|
|
+test_multipart_bounds_bad_3 (void)
|
|
+{
|
|
+ SoupMessage *msg;
|
|
+ SoupMessageHeaders *headers;
|
|
+ GInputStream *in;
|
|
+ SoupMultipartInputStream *multipart;
|
|
+ GError *error = NULL;
|
|
+ const char raw_data[] = "\0$--A\r\nContent-Disposition: form-data; name=\"f\"\r\n\r\nXXXXXXXXX\r\n--A--\r\n";
|
|
+
|
|
+ msg = soup_message_new(SOUP_METHOD_POST, "http://foo/upload");
|
|
+ headers = soup_message_get_response_headers (msg);
|
|
+ soup_message_headers_replace (headers, "Content-Type", "multipart/form-data; boundary=\"A\"");
|
|
+
|
|
+ in = g_memory_input_stream_new_from_data (raw_data + 2, sizeof(raw_data) - 2, NULL);
|
|
+ multipart = soup_multipart_input_stream_new (msg, in);
|
|
+ g_object_unref (in);
|
|
+
|
|
+ while (TRUE) {
|
|
+ in = soup_multipart_input_stream_next_part (multipart, NULL, &error);
|
|
+ g_assert_no_error (error);
|
|
+ if (!in) {
|
|
+ g_clear_error (&error);
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ char buffer[10];
|
|
+ while (TRUE) {
|
|
+ gssize bytes_read;
|
|
+
|
|
+ bytes_read = g_input_stream_read (in, buffer, sizeof(buffer), NULL, &error);
|
|
+ g_assert_no_error (error);
|
|
+ if (bytes_read <= 0) {
|
|
+ g_clear_error (&error);
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ g_object_unref (in);
|
|
+ }
|
|
+
|
|
+ g_object_unref (multipart);
|
|
+ g_object_unref (msg);
|
|
+}
|
|
+
|
|
static void
|
|
test_multipart_too_large (void)
|
|
{
|
|
@@ -595,6 +640,7 @@ main (int argc, char **argv)
|
|
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
|
|
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
|
|
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
|
|
+ g_test_add_func ("/multipart/bounds-bad-3", test_multipart_bounds_bad_3);
|
|
g_test_add_func ("/multipart/too-large", test_multipart_too_large);
|
|
|
|
ret = g_test_run ();
|
|
--
|
|
2.52.0
|
|
|