From 3be8e9a985a4820ae0944714869fff81250d029d Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 25 Nov 2025 14:43:18 +0100
Subject: [PATCH] [PATCH 2/2] datasets: allocates on the heap if string base64
 is long

Ticket: 8110
(cherry picked from commit d6bc718e303ecbec5999066b8bc88eeeca743658)

Origin: upstream, https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8110
Subject: Upstream fix for CVE-2026-22262 part 2

Gbp-Pq: Name CVE-2026-22262_2.patch
---
 src/datasets-string.c |  4 ++--
 src/util-thash.c      | 21 ++++++++++++++++++++-
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/datasets-string.c b/src/datasets-string.c
index 524a60ad..53a179a1 100644
--- a/src/datasets-string.c
+++ b/src/datasets-string.c
@@ -50,8 +50,8 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
 
     unsigned long len = Base64EncodeBufferSize(str->len);
     if (len + 2 > out_size) {
-        // linefeed and final zero
-        return 0;
+        // linefeed and final zero : signal we need more space
+        return len + 2;
     }
     if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
         return 0;
diff --git a/src/util-thash.c b/src/util-thash.c
index 54863791..c6df02cf 100644
--- a/src/util-thash.c
+++ b/src/util-thash.c
@@ -390,7 +390,26 @@ int THashWalk(THashTableContext *ctx, THashFormatFunc FormatterFunc, THashOutput
             char output_string[1024] = "";
             int size = FormatterFunc(h->data, output_string, sizeof(output_string));
             if (size > 0) {
-                if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
+                if (size > 1024) {
+                    // we did not provide enough space on the stack, let's allocate on the heap
+                    char *out_alloc = SCCalloc(1, size);
+                    if (out_alloc == NULL) {
+                        err = true;
+                        break;
+                    }
+                    size = FormatterFunc(h->data, out_alloc, size);
+                    if (size == 0) {
+                        err = true;
+                        SCFree(out_alloc);
+                        break;
+                    }
+                    if (OutputterFunc(output_ctx, (const uint8_t *)out_alloc, size) < 0) {
+                        err = true;
+                        SCFree(out_alloc);
+                        break;
+                    }
+                    SCFree(out_alloc);
+                } else if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
                     err = true;
                     break;
                 }
-- 
2.30.2