From 19ee0f25bc166d62349cd369311693b92b8ed441 Mon Sep 17 00:00:00 2001
From: liyajie <liyajie15@h-partners.com>
Date: Fri, 29 Nov 2024 05:50:24 +0800
Subject: [PATCH] Fix CVE-2024-4109

(cherry picked from commit d973b2a8473fa0f8468fd3ba8a2ad876b91a1a8b)
---
 CVE-2024-4109.patch | 50 +++++++++++++++++++++++++++++++++++++++++++++
 undertow.spec       |  6 +++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-4109.patch

diff --git a/CVE-2024-4109.patch b/CVE-2024-4109.patch
new file mode 100644
index 0000000..6914cf8
--- /dev/null
+++ b/CVE-2024-4109.patch
@@ -0,0 +1,50 @@
+From 28229fe98d5818f2329cb42151c31471367f20c3 Mon Sep 17 00:00:00 2001
+From: liyajie <liyajie15@h-partners.com>
+Date: Fri, 29 Nov 2024 03:44:57 +0800
+Subject: [PATCH 1/1] Fix CVE-2024-4109
+
+https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb
+---
+ .../io/undertow/protocols/http2/HpackDecoder.java   | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java b/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
+index 8643130..f21dc1d 100644
+--- a/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
++++ b/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
+@@ -66,8 +66,6 @@ public class HpackDecoder {
+      */
+     private int maxMemorySize;
+ 
+-    private final StringBuilder stringBuilder = new StringBuilder();
+-
+     public HpackDecoder(int maxMemorySize) {
+         this.maxMemorySize = maxMemorySize;
+         headerTable = new HeaderField[DEFAULT_RING_BUFFER_SIZE];
+@@ -227,19 +225,16 @@ public class HpackDecoder {
+         if (huffman) {
+             return readHuffmanString(length, buffer);
+         }
++        StringBuilder stringBuilder = new StringBuilder();
+         for (int i = 0; i < length; ++i) {
+             stringBuilder.append((char) buffer.get());
+         }
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        return stringBuilder.toString();
+     }
+ 
+     private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
+-        HPackHuffman.decode(buffer, length, stringBuilder);
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        StringBuilder stringBuilder = new StringBuilder(length);
++        return stringBuilder.toString();
+     }
+ 
+     private HttpString handleIndexedHeaderName(int index) throws HpackException {
+-- 
+2.43.0
+
diff --git a/undertow.spec b/undertow.spec
index bf7c759..11dc02d 100644
--- a/undertow.spec
+++ b/undertow.spec
@@ -2,7 +2,7 @@
 %global namedversion %{version}%{?namedreltag}
 Name:                undertow
 Version:             1.4.0
-Release:             8
+Release:             9
 Summary:             Java web server using non-blocking IO
 License:             ASL 2.0
 URL:                 http://undertow.io/
@@ -16,6 +16,7 @@ Patch4:              CVE-2023-1108.patch
 Patch5:              CVE-2021-3690.patch
 Patch6:              CVE-2023-1973.patch
 Patch7:              CVE-2023-5379.patch
+Patch8:              CVE-2024-4109.patch
 BuildArch:           noarch
 Epoch:               1
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@@ -77,6 +78,9 @@ export CXXFLAGS="${RPM_OPT_FLAGS}"
 %license LICENSE.txt
 
 %changelog
+* Tue Dec 17 2024 liyajie <liyajie15@h-partners.com> - 1:1.4.0-9
+- Fix CVE-2024-4109
+
 * Tue Nov 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:1.4.0-8
 - Fix CVE-2021-3690,CVE-2023-1973 and CVE-2023-5379
 
-- 
Gitee