From 117842d735348a6f8cd7e68ad1c15a081e702246 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 13 Mar 2023 11:32:28 +0800
Subject: [PATCH] Fix CVE-2023-27371

(cherry picked from commit 7ff34701427430d009f7e91e6c397bf7076fd033)
---
 CVE-2023-27371.patch | 12 ++++++++++++
 libmicrohttpd.spec   |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-27371.patch

diff --git a/CVE-2023-27371.patch b/CVE-2023-27371.patch
new file mode 100644
index 0000000..5f2566d
--- /dev/null
+++ b/CVE-2023-27371.patch
@@ -0,0 +1,12 @@
+diff -Naur a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+--- a/src/microhttpd/postprocessor.c	2023-03-13 11:20:38.069141187 +0800
++++ b/src/microhttpd/postprocessor.c	2023-03-13 11:21:37.158002318 +0800
+@@ -310,7 +310,7 @@
+ 	return NULL; /* failed to determine boundary */
+       boundary += MHD_STATICSTR_LEN_ ("boundary=");
+       blen = strlen (boundary);
+-      if ( (blen == 0) ||
++      if ( (blen < 2) ||
+            (blen * 2 + 2 > buffer_size) )
+         return NULL;            /* (will be) out of memory or invalid boundary */
+       if ( (boundary[0] == '"') &&
diff --git a/libmicrohttpd.spec b/libmicrohttpd.spec
index 6546f8a..2bc6f01 100644
--- a/libmicrohttpd.spec
+++ b/libmicrohttpd.spec
@@ -1,6 +1,6 @@
 Name:           libmicrohttpd
 Version:        0.9.59
-Release:        7
+Release:        8
 Epoch:          1
 Summary:        Lightweight library for embedding a webserver in applications
 License:        LGPLv2+
@@ -9,6 +9,7 @@ Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
 Patch0001:      gnutls-utilize-system-crypto-policy.patch
 Patch0002:      fix-libmicrohttpd-tutorial-info.patch
 Patch0003:      0001-skip-tls-upgrade-test-case.patch
+Patch0004:      CVE-2023-27371.patch
 
 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
 Requires:       %{name}-help = %{epoch}:%{version}-%{release}
@@ -92,6 +93,9 @@ fi
 %{_infodir}/libmicrohttpd_performance_data.png.gz
 
 %changelog
+* Mon Mar 13 2023 yaoxin <yaoxin30@h-partners.com> - 1:0.9.59-8
+- Fix CVE-2023-27371
+
 * Mon Jan 29 2023 Ge Wang<wangge20@h-partners.com> - 0.9.59-7
 - Skip upgrade_tls test case due to socket recv failure