1 files changed, 43 insertions, 0 deletions

diff --git a/patches/source/libsoup/libsoup.CVE-2017-2885.diff b/patches/source/libsoup/libsoup.CVE-2017-2885.diff
new file mode 100644
index 00000000..e0c318a2
--- /dev/null
+++ b/patches/source/libsoup/libsoup.CVE-2017-2885.diff
@@ -0,0 +1,43 @@
+--- libsoup-2.58.1/libsoup/soup-filter-input-stream.c	2016-12-03 08:59:41.000000000 -0600
++++ libsoup-2.58.2/libsoup/soup-filter-input-stream.c	2017-08-10 07:06:09.000000000 -0500
+@@ -198,7 +198,7 @@
+ 				     GCancellable           *cancellable,
+ 				     GError                **error)
+ {
+-	gssize nread;
++	gssize nread, read_length;
+ 	guint8 *p, *buf, *end;
+ 	gboolean eof = FALSE;
+ 	GError *my_error = NULL;
+@@ -251,10 +251,11 @@
+ 	} else
+ 		buf = fstream->priv->buf->data;
+ 
+-	/* Scan for the boundary */
+-	end = buf + fstream->priv->buf->len;
+-	if (!eof)
+-		end -= boundary_length;
++	/* Scan for the boundary within the range we can possibly return. */
++	if (include_boundary)
++		end = buf + MIN (fstream->priv->buf->len, length) - boundary_length;
++	else
++		end = buf + MIN (fstream->priv->buf->len - boundary_length, length);
+ 	for (p = buf; p <= end; p++) {
+ 		if (*p == *(guint8*)boundary &&
+ 		    !memcmp (p, boundary, boundary_length)) {
+@@ -268,10 +269,9 @@
+ 	if (!*got_boundary && fstream->priv->buf->len < length && !eof)
+ 		goto fill_buffer;
+ 
+-	/* Return everything up to 'p' (which is either just after the boundary if
+-	 * include_boundary is TRUE, just before the boundary if include_boundary is
+-	 * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of-
+-	 * file).
+-	 */
+-	return read_from_buf (fstream, buffer, p - buf);
++	if (eof && !*got_boundary)
++		read_length = MIN (fstream->priv->buf->len, length);
++	else
++		read_length = p - buf;
++	return read_from_buf (fstream, buffer, read_length);
+ }