From 719cfb3f3893c7f8fada2ad71fabb68c5fe953bf Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 27 May 2025 12:53:17 +0200
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName

This issue affects memory safety and might receive a CVE ID later.

Fixes #926.

Signed-off-by: Tim Soubry <tim.soubry@mind.be>
Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781
CVE: CVE-2025-6021
[tim: include needed stdint header]
---
 tree.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/tree.c b/tree.c
index f097cf87..53385568 100644
--- a/tree.c
+++ b/tree.c
@@ -23,6 +23,7 @@
 #include <limits.h>
 #include <ctype.h>
 #include <stdlib.h>
+#include <stdint.h>
 
 #ifdef LIBXML_ZLIB_ENABLED
 #include <zlib.h>
@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
 xmlChar *
 xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
 	      xmlChar *memory, int len) {
-    int lenn, lenp;
+    size_t lenn, lenp;
     xmlChar *ret;
 
-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
     if (prefix == NULL) return((xmlChar *) ncname);
 
 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
@@ -181,9 +182,11 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
 
     lenn = strlen((char *) ncname);
     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
 
-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
-	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+	ret = xmlMalloc(lenn + lenp + 2);
 	if (ret == NULL)
 	    return(NULL);
     } else {
-- 
2.39.5