From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 22 Nov 2024 13:39:51 -0600
Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path
 starting with //

CVE: CVE-2025-32051
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709]

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 libsoup/soup-uri-utils.c | 8 ++++++++
 tests/uri-parsing-test.c | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 0251279..1ff11cd 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,
         gboolean base64 = FALSE;
         char *uri_string;
         GBytes *bytes;
+        const char *path;
 
         g_return_val_if_fail (uri != NULL, NULL);
 
@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,
         if (content_type)
                 *content_type = NULL;
 
+        /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
+        path = g_uri_get_path (soup_uri);
+        if (path[0] == '/' && path[1] == '/') {
+                g_uri_unref (soup_uri);
+                return NULL;
+        }
+
         uri_string = g_uri_to_string (soup_uri);
         g_uri_unref (soup_uri);
         if (!uri_string)
diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c
index 1f16273..418391e 100644
--- a/tests/uri-parsing-test.c
+++ b/tests/uri-parsing-test.c
@@ -141,6 +141,8 @@ static struct {
         { "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },
         { "data:text/plain;base64,invalid=", "", "text/plain" },
         { "data:,", "", CONTENT_TYPE_DEFAULT },
+        { "data:.///", NULL, NULL },
+        { "data:/.//", NULL, NULL },
 };
 
 static void
-- 
2.34.1