From e7652c03512f9ade53b26b94b58f7bbaf7952042 Mon Sep 17 00:00:00 2001
From: kouwenqi <kouwenqi@kylinos.cn>
Date: Mon, 6 May 2024 14:00:52 +0800
Subject: [PATCH] fix CVE-2024-34402, CVE-2024-34403

(cherry picked from commit 134ed047295b67d321d75aa377c41da8db96c137)
---
 fix-cve-2024-34402.patch | 47 ++++++++++++++++++++++++++++++++++++++++
 fix-cve-2024-34403.patch | 32 +++++++++++++++++++++++++++
 uriparser.spec           |  9 ++++++--
 3 files changed, 86 insertions(+), 2 deletions(-)
 create mode 100644 fix-cve-2024-34402.patch
 create mode 100644 fix-cve-2024-34403.patch

diff --git a/fix-cve-2024-34402.patch b/fix-cve-2024-34402.patch
new file mode 100644
index 0000000..215c4b5
--- /dev/null
+++ b/fix-cve-2024-34402.patch
@@ -0,0 +1,47 @@
+From 760ade2947415dbb100053cf793c2f96fe257386 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 28 Apr 2024 21:26:45 +0200
+Subject: [PATCH] Protect against integer overflow in ComposeQueryEngine
+
+Requires string input that is longer than INT_MAX to exploit.
+---
+ src/UriQuery.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/UriQuery.c b/src/UriQuery.c
+index b2734bc..29c6f47 100644
+--- a/src/UriQuery.c
++++ b/src/UriQuery.c
+@@ -70,6 +70,7 @@
+ 
+ 
+ #include <limits.h>
++#include <stddef.h> /* size_t */
+ 
+ 
+ 
+@@ -218,16 +219,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
+ 		const URI_CHAR * const key = queryList->key;
+ 		const URI_CHAR * const value = queryList->value;
+ 		const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
+-		const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
++		const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key);
+ 		int keyRequiredChars;
+-		const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
++		const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value);
+ 		int valueRequiredChars;
+ 
+-		if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
++		if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) {
+ 			return URI_ERROR_OUTPUT_TOO_LARGE;
+ 		}
+-		keyRequiredChars = worstCase * keyLen;
+-		valueRequiredChars = worstCase * valueLen;
++		keyRequiredChars = worstCase * (int)keyLen;
++		valueRequiredChars = worstCase * (int)valueLen;
+ 
+ 		if (dest == NULL) {
+ 			(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)
+-- 
+2.23.0
+
diff --git a/fix-cve-2024-34403.patch b/fix-cve-2024-34403.patch
new file mode 100644
index 0000000..41f05b1
--- /dev/null
+++ b/fix-cve-2024-34403.patch
@@ -0,0 +1,32 @@
+From bb6b9b3f25fbafeb12dac68574d9f677b09880e3 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 28 Apr 2024 21:57:27 +0200
+Subject: [PATCH] Protect against integer overflow in ComposeQueryMallocExMm
+
+Requires string input that is longer than INT_MAX / 6 - 1 to exploit.
+---
+ src/UriQuery.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/UriQuery.c b/src/UriQuery.c
+index b2734bc..4885ff0 100644
+--- a/src/UriQuery.c
++++ b/src/UriQuery.c
+@@ -177,10 +177,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest,
+ 	if (res != URI_SUCCESS) {
+ 		return res;
+ 	}
++	if (charsRequired == INT_MAX) {
++	    return URI_ERROR_MALLOC;
++	}
+ 	charsRequired++;
+ 
+ 	/* Allocate space */
+-	queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR));
++	queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR));
+ 	if (queryString == NULL) {
+ 		return URI_ERROR_MALLOC;
+ 	}
+-- 
+2.23.0
+
diff --git a/uriparser.spec b/uriparser.spec
index 2524959..3d34bee 100644
--- a/uriparser.spec
+++ b/uriparser.spec
@@ -1,10 +1,12 @@
 Name:           uriparser
 Version:        0.9.6
-Release:        1
+Release:        2
 Summary:        A strictly RFC 3986 compliant URI parsing and handling library written in C89
 License:        BSD
 URL:            https://uriparser.github.io/
 Source0:        https://github.com/uriparser/uriparser/releases/download/uriparser-%{version}/uriparser-%{version}.tar.bz2
+Patch0:         fix-cve-2024-34402.patch
+Patch1:         fix-cve-2024-34403.patch
 BuildRequires:  cmake doxygen gcc-c++ graphviz gtest-devel make gmock
 
 %description
@@ -30,7 +32,7 @@ BuildArch:      noarch
 The package contains HTML documentation files for uriparser.
 
 %prep
-%autosetup
+%autosetup -p1
 sed -i 's/GENERATE_QHP\ =\ yes/GENERATE_QHP\ =\ no/g' doc/Doxyfile.in
 
 %build
@@ -59,6 +61,9 @@ LD_LIBRARY_PATH=".libs" make check
 %doc %{_docdir}/uriparser/html
 
 %changelog
+* Mon May 6 2024 kouwenqi <kouwenqi@kylinos.cn> - 0.9.6-2
+- fix CVE-2024-34402,CVE-2024-34403
+
 * Tue Jan 25 2022 wangkai <wangkai385@huawei.com> - 0.9.6-1
 - Update to 0.9.6 for fix CVE-2021-46141 and CVE-2021-46142
 
-- 
Gitee