From 2c47a89f3c47bd86fe82d21236247d88c9226eac Mon Sep 17 00:00:00 2001
From: Thiago Costa <thiagoalvescosta@gmail.com>
Date: Wed, 23 Oct 2024 15:49:18 -0300
Subject: [PATCH] Patching CVE-2024-21490 and CVE-2022-25844

---
 src/ng/compile.js        | 10 +++++++++-
 src/ng/filter/filters.js | 15 +++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/ng/compile.js b/src/ng/compile.js
index e48b5a98b6c5..b1cf67a50341 100644
--- a/src/ng/compile.js
+++ b/src/ng/compile.js
@@ -2099,7 +2099,15 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
       // first check if there are spaces because it's not the same pattern
       var trimmedSrcset = trim(value);
       //                (   999x   ,|   999w   ,|   ,|,   )
-      var srcPattern = /(\s+\d+x\s*,|\s+\d+w\s*,|\s+,|,\s+)/;
+      /* 
+        * CVE-2024-21490
+        * Used to be /(\s+\d+x\s*,|\s+\d+w\s*,|\s+,|,\s+)/
+        * We factorize the common parts of the first patterns (with spaces before the comma).
+        * The additional '\s*' after ',' changes the length of resulting strings wich are trimmed anyway,
+        * but it helps not matching both combinations when candidates have spaces before and after the comma.
+        * This reduces the split complexity to linear and avoid the ReDoS.
+        */
+      var srcPattern = /(\s+(?:\d+(?:x\s*|w\s*))?,\s*|,\s+)/;
       var pattern = /\s/.test(trimmedSrcset) ? srcPattern : /(,)/;
 
       // split srcset into tuple of uri and descriptor except for the last item
diff --git a/src/ng/filter/filters.js b/src/ng/filter/filters.js
index 482b31897c79..bfa6ef28307f 100644
--- a/src/ng/filter/filters.js
+++ b/src/ng/filter/filters.js
@@ -348,6 +348,21 @@ function formatNumber(number, pattern, groupSep, decimalSep, fractionSize) {
       formattedText += 'e+' + exponent;
     }
   }
+    /*
+     * CVE-2022-25844
+    */
+    const maxLength = 100;
+
+    if (pattern.posPre && pattern.posPre.length > maxLength) {
+      pattern.posPre = pattern.posPre.substring(0, maxLength);
+      console.warn('Value of posPre is too long, it has been truncated to the maximum allowed length.');
+    }
+
+    if (pattern.posSuf && pattern.posSuf.length > maxLength) {
+      pattern.posSuf = pattern.posSuf.substring(0, maxLength);
+      console.warn('Value of posSuf is too long, it has been truncated to the maximum allowed length.');
+    }
+
   if (number < 0 && !isZero) {
     return pattern.negPre + formattedText + pattern.negSuf;
   } else {