From 67271e710e2097c74b2d52a91ab0d7ef5e7b4c45 Mon Sep 17 00:00:00 2001
From: sa-buc <lzq02303433@j38c15140.eu95sqa>
Date: Mon, 23 Jun 2025 11:33:38 +0800
Subject: [PATCH] libsoup-test

Signed-off-by: sa-buc <lzq02303433@j38c15140.eu95sqa>
---
 1015-bugfix-for-CVE-2025-4948.patch | 95 +++++++++++++++++++++++++++++
 libsoup.spec                        |  7 ++-
 2 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 1015-bugfix-for-CVE-2025-4948.patch

diff --git a/1015-bugfix-for-CVE-2025-4948.patch b/1015-bugfix-for-CVE-2025-4948.patch
new file mode 100644
index 0000000..d68fa8f
--- /dev/null
+++ b/1015-bugfix-for-CVE-2025-4948.patch
@@ -0,0 +1,95 @@
+From 8f41cc8571c31f36c24bf3bd0a1cc57d86a31b90 Mon Sep 17 00:00:00 2001
+From: lzq11122  <lzq02303433@alibaba-inc.com>
+Date: Mon, 23 Jun 2025 10:49:43 +0800
+Subject: [PATCH 1/1] fix CVE-2025-4948
+
+---
+ libsoup/soup-multipart.c |  2 +-
+ tests/multipart-test.c   | 43 ++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index dd93973..ce2fc10 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 		 */
+ 		part_body = soup_buffer_new_subbuffer (flattened,
+ 						       split - flattened->data,
+-						       end - 2 - split);
++						       end - 2 >= split ? end - 2 - split : 0);
+ 		g_ptr_array_add (multipart->bodies, part_body);
+ 
+ 		start = end;
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 64a5ebf..36c47f0 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -479,6 +479,45 @@ test_multipart (gconstpointer data)
+ 	g_main_loop_unref (loop);
+ }
+ 
++static void
++test_multipart_too_large (void)
++{
++	const char *raw_body =
++		"-------------------\r\n"
++		"-\n"
++		"Cont\"\r\n"
++		"Content-Tynt----e:n\x8erQK\r\n"
++		"Content-Disposition:   name=  form-; name=\"file\"; filename=\"ype:i/  -d; ----\xae\r\n"
++		"Content-Typimag\x01/png--\\\n"
++		"\r\n"
++		"---:\n\r\n"
++		"\r\n"
++		"-------------------------------------\r\n"
++		"---------\r\n"
++		"----------------------";
++	GBytes *body;
++	GHashTable *params;
++	SoupMessageHeaders *headers;
++	SoupMultipart *multipart;
++
++	params = g_hash_table_new (g_str_hash, g_str_equal);
++	g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------");
++	headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++	soup_message_headers_set_content_type (headers, "multipart/form-data", params);
++	g_hash_table_unref (params);
++
++	body = g_bytes_new_static (raw_body, strlen (raw_body));
++	multipart = soup_multipart_new_from_message (headers, body);
++	soup_message_headers_free (headers);
++	g_bytes_unref (body);
++
++	g_assert_nonnull (multipart);
++	g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
++	g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body));
++	g_assert_cmpint (g_bytes_get_size (body), ==, 0);
++	soup_multipart_free (multipart);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -493,7 +532,7 @@ main (int argc, char **argv)
+ 	soup_server_add_handler (server, NULL, server_callback, NULL, NULL);
+ 	base_uri = soup_test_server_get_uri (server, "http", NULL);
+ 	base_uri_string = soup_uri_to_string (base_uri, FALSE);
+-
++	
+ 	/* FIXME: I had to raise the number of connections allowed here, otherwise I
+ 	 * was hitting the limit, which indicates some connections are not dying.
+ 	 */
+@@ -508,7 +547,7 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
+ 	g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
+ 	g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+-
++	g_test_add_func ("/multipart/too-large", test_multipart_too_large);
+ 	ret = g_test_run ();
+ 
+ 	soup_uri_free (base_uri);
+-- 
+2.43.5
+
+
diff --git a/libsoup.spec b/libsoup.spec
index 5f85671..4423306 100644
--- a/libsoup.spec
+++ b/libsoup.spec
@@ -1,4 +1,4 @@
-%define anolis_release 14
+%define anolis_release 15
 %define glib2_version 2.58
 
 %{!?with_docs: %global with_docs 1}
@@ -26,6 +26,8 @@ Patch11: 0011-bugfix-for-CVE-2025-32906.patch
 Patch12: 0012-bugfix-for-CVE-2025-32914.patch
 Patch13: 0013-bugfix-for-CVE-2025-32049.patch
 Patch14: 0014-bugfix-for-CVE-2025-2784.patch
+# From https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/
+Patch15: 1015-bugfix-for-CVE-2025-4948.patch
 
 BuildRequires: gettext
 BuildRequires: glib-networking
@@ -135,6 +137,9 @@ This package contains developer documentation for %{name}.
 %endif
 
 %changelog
+* Mon Jun 18 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 2.74.3-15
+- add patch to fix CVE-2025-4948
+
 * Fri Jun 13 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-14
 - fix CVE-2025-2784
 
-- 
Gitee