From 76ca2a85ed2ac73c25ca67f2014cd70593ee3311 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Thu, 7 May 2026 23:30:54 +0200
Subject: [PATCH] CVE-2026-45355: afpd: fix signed integer underflow in
 sl_unpack_cpx string length

Reported-by: @TristanInSec
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 etc/afpd/spotlight_marshalling.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/etc/afpd/spotlight_marshalling.c b/etc/afpd/spotlight_marshalling.c
index 769982e6e..22b699de9 100644
--- a/etc/afpd/spotlight_marshalling.c
+++ b/etc/afpd/spotlight_marshalling.c
@@ -689,6 +689,10 @@ static int sl_unpack_cpx(DALLOC_CTX *query,
         slen = qlen - 16 + used_in_last_block;
 
         if (cpx_query_type == SQ_CPX_TYPE_STRING) {
+            if (slen < 0 || offset + 8 + slen > (int)toc_offset) {
+                EC_FAIL;
+            }
+
             p = dalloc_strndup(query, buf + offset + 8, slen);
         } else {
             unicode_encoding = spotlight_get_utf16_string_encoding(buf, offset + 8, slen,
@@ -700,12 +704,18 @@ static int sl_unpack_cpx(DALLOC_CTX *query,
             }
 
             slen -= mark_exists ? 2 : 0;
-            EC_NEG1(convert_string_allocate(CH_UCS2,
-                                            CH_UTF8,
-                                            buf + offset + (mark_exists ? 10 : 8),
-                                            slen,
-                                            &tmp));
-            p = dalloc_strndup(query, tmp, strlen(tmp));
+
+            if (slen <= 0 || offset + (mark_exists ? 10 : 8) + slen > (int)toc_offset) {
+                EC_FAIL;
+            }
+
+            size_t tmp_len;
+            EC_NEG1(tmp_len = convert_string_allocate(CH_UCS2,
+                              CH_UTF8,
+                              buf + offset + (mark_exists ? 10 : 8),
+                              slen,
+                              &tmp));
+            p = dalloc_strndup(query, tmp, tmp_len);
             free(tmp);
         }