1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 27 May 2025 12:53:17 +0200
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
This issue affects memory safety and might receive a CVE ID later.
Fixes #926.
Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
Add '#include <stdint.h>' to assure the definition of SIZE_MAX
CVE: CVE-2025-6021
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
tree.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/tree.c b/tree.c
index 7454b07..22ec11c 100644
--- a/tree.c
+++ b/tree.c
@@ -23,6 +23,7 @@
#include <limits.h>
#include <ctype.h>
#include <stdlib.h>
+#include <stdint.h>
#ifdef LIBXML_ZLIB_ENABLED
#include <zlib.h>
@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
xmlChar *
xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
xmlChar *memory, int len) {
- int lenn, lenp;
+ size_t lenn, lenp;
xmlChar *ret;
- if (ncname == NULL) return(NULL);
+ if ((ncname == NULL) || (len < 0)) return(NULL);
if (prefix == NULL) return((xmlChar *) ncname);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
lenn = strlen((char *) ncname);
lenp = strlen((char *) prefix);
+ if (lenn >= SIZE_MAX - lenp - 1)
+ return(NULL);
- if ((memory == NULL) || (len < lenn + lenp + 2)) {
+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
ret = xmlMalloc(lenn + lenp + 2);
if (ret == NULL)
return(NULL);
--
2.34.1
|
