| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 |
- From 719cfb3f3893c7f8fada2ad71fabb68c5fe953bf Mon Sep 17 00:00:00 2001
- From: Nick Wellnhofer <wellnhofer@aevum.de>
- Date: Tue, 27 May 2025 12:53:17 +0200
- Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
- This issue affects memory safety and might receive a CVE ID later.
- Fixes #926.
- Signed-off-by: Tim Soubry <tim.soubry@mind.be>
- Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781
- CVE: CVE-2025-6021
- [tim: include needed stdint header]
- ---
- tree.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
- diff --git a/tree.c b/tree.c
- index f097cf87..53385568 100644
- --- a/tree.c
- +++ b/tree.c
- @@ -23,6 +23,7 @@
- #include <limits.h>
- #include <ctype.h>
- #include <stdlib.h>
- +#include <stdint.h>
-
- #ifdef LIBXML_ZLIB_ENABLED
- #include <zlib.h>
- @@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
- xmlChar *
- xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
- xmlChar *memory, int len) {
- - int lenn, lenp;
- + size_t lenn, lenp;
- xmlChar *ret;
-
- - if (ncname == NULL) return(NULL);
- + if ((ncname == NULL) || (len < 0)) return(NULL);
- if (prefix == NULL) return((xmlChar *) ncname);
-
- #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
- @@ -181,9 +182,11 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
-
- lenn = strlen((char *) ncname);
- lenp = strlen((char *) prefix);
- + if (lenn >= SIZE_MAX - lenp - 1)
- + return(NULL);
-
- - if ((memory == NULL) || (len < lenn + lenp + 2)) {
- - ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
- + if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
- + ret = xmlMalloc(lenn + lenp + 2);
- if (ret == NULL)
- return(NULL);
- } else {
- --
- 2.39.5
|
