From 3bd302b63c1f6c4c10928aed2801e30045bc511f Mon Sep 17 00:00:00 2001
From: zhuhongbo <zhuhongbo@uniontech.com>
Date: Fri, 18 Jul 2025 11:18:40 +0800
Subject: [PATCH] fix cve CVE-2025-40907

---
 0001-fix-perl-FCGI-CVE-2025-40907.patch | 38 +++++++++++++++
 0002-fix-perl-FCGI-CVE-2025-40907.patch | 64 +++++++++++++++++++++++++
 perl-FCGI.spec                          |  9 +++-
 3 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix-perl-FCGI-CVE-2025-40907.patch
 create mode 100644 0002-fix-perl-FCGI-CVE-2025-40907.patch

diff --git a/0001-fix-perl-FCGI-CVE-2025-40907.patch b/0001-fix-perl-FCGI-CVE-2025-40907.patch
new file mode 100644
index 0000000..24e22be
--- /dev/null
+++ b/0001-fix-perl-FCGI-CVE-2025-40907.patch
@@ -0,0 +1,38 @@
+From 1911bf99e7fe54898d4911d97948f807c44d4c60 Mon Sep 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Mon, 14 Jul 2025 16:39:32 +0800
+Subject: [PATCH] fix cve CVE-2025-40907
+
+---
+ libfcgi/fcgiapp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fcgiapp.c b/fcgiapp.c
+index 4ffe318..99c3630 100644
+--- a/fcgiapp.c
++++ b/fcgiapp.c
+@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (nameLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (valueLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
+-- 
+2.49.0
+
diff --git a/0002-fix-perl-FCGI-CVE-2025-40907.patch b/0002-fix-perl-FCGI-CVE-2025-40907.patch
new file mode 100644
index 0000000..e1dac70
--- /dev/null
+++ b/0002-fix-perl-FCGI-CVE-2025-40907.patch
@@ -0,0 +1,64 @@
+From 1911bf99e7fe54898d4911d97948f807c44d4c60 Mon Sep 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Mon, 14 Jul 2025 16:39:32 +0800
+Subject: [PATCH] fix cve CVE-2025-40907
+---
+ libfcgi/fcgiapp.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fcgiapp.c b/fcgiapp.c
+index 99c3630..0cd3dd1 100644
+--- a/fcgiapp.c
++++ b/fcgiapp.c
+@@ -18,6 +18,7 @@
+ #include <memory.h>     /* for memchr() */
+ #include <stdarg.h>
+ #include <stdio.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
+@@ -1160,6 +1161,7 @@ char *FCGX_GetParam(const char *name, FCGX_ParamArray envp)
+ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ {
+     int nameLen, valueLen;
++    size_t totalLen;
+     unsigned char lenBuff[3];
+     char *nameValue;
+ 
+@@ -1175,7 +1177,7 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+-	    if (nameLen >= INT_MAX) {
++	    if (nameLen >= INT_MAX || nameLen >= SIZE_MAX) {
+                 SetError(stream, FCGX_PARAMS_ERROR);
+                 return -1;
+ 	    }
+@@ -1191,16 +1193,21 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+-	    if (valueLen >= INT_MAX) {
++	    if (valueLen >= INT_MAX || valueLen >= SIZE_MAX) {
+                 SetError(stream, FCGX_PARAMS_ERROR);
+                 return -1;
+ 	    }
+         }
++        totalLen = (size_t)nameLen + (size_t)valueLen + 2u;
++        if (totalLen < (size_t)nameLen || totalLen < (size_t)valueLen) {
++            SetError(stream, FCGX_PARAMS_ERROR);
++            return -1;
++        }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
+          * from stream and construct a standard environment entry.
+          */
+-        nameValue = (char *)Malloc(nameLen + valueLen + 2);
++        nameValue = (char *)Malloc(totalLen);
+         if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+             free(nameValue);
+-- 
+2.49.0
+
diff --git a/perl-FCGI.spec b/perl-FCGI.spec
index c9fb594..39eb1ef 100644
--- a/perl-FCGI.spec
+++ b/perl-FCGI.spec
@@ -3,11 +3,15 @@ Summary:        FastCGI Perl bindings
 # needed to properly replace/obsolete fcgi-perl
 Epoch:          1
 Version:        0.74
-Release:        8%{?dist}
+Release:        8%{?dist}.1
 # same as fcgi
 License:        OML
 Group:          Development/Libraries
 Source0:        http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/FCGI-%{version}.tar.gz 
+
+Patch1:         0001-fix-perl-FCGI-CVE-2025-40907.patch
+Patch2:         0002-fix-perl-FCGI-CVE-2025-40907.patch
+
 URL:            http://search.cpan.org/dist/FCGI
 Requires:       perl(:MODULE_COMPAT_%(eval "$(perl -V:version)"; echo $version))
 BuildRequires:  perl
@@ -55,6 +59,9 @@ make test
 %{_mandir}/man3/*.3*
 
 %changelog
+* Fri Jul 18 2025 zhuhongbo <zhuhongbo@uniontech.com> - 1:0.74-8.1
+- fix: fix cve CVE-2025-40907
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1:0.74-8
 - Mass rebuild 2014-01-24
 
-- 
Gitee