Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
096589bd59f3f8e827754d43ad01dcdc406cc27f
rpi-buildroot/package/libxml2/0001-tree-Fix-integer-overflow-in-xmlBuildQName.patch
Tim Soubry 5980de098a package/libxml2: add patch for CVE-2025-6021 
This fixes an integer overflow vulnerability [1], in libxml2 version
2.13 by backporting the commit [2] from libxml2 2.14. This commit uses
the SIZE_MAX macro, for which stdint.h was included in tree.c, as done in [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6021
[2] ad346c9a24
[3] https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch

Signed-off-by: Tim Soubry <tim.soubry@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a1cf6bcc06)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
2025-07-15 18:36:54 +02:00

60 lines
1.7 KiB
Diff
Raw Blame History

From 719cfb3f3893c7f8fada2ad71fabb68c5fe953bf Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 27 May 2025 12:53:17 +0200
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
This issue affects memory safety and might receive a CVE ID later.
Fixes #926.
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781
CVE: CVE-2025-6021
[tim: include needed stdint header]
---
tree.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/tree.c b/tree.c
index f097cf87..53385568 100644
--- a/tree.c
+++ b/tree.c
@@ -23,6 +23,7 @@
#include <limits.h>
#include <ctype.h>
#include <stdlib.h>
+#include <stdint.h>
#ifdef LIBXML_ZLIB_ENABLED
#include <zlib.h>
@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
xmlChar *
xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
xmlChar *memory, int len) {
- int lenn, lenp;
+ size_t lenn, lenp;
xmlChar *ret;
- if (ncname == NULL) return(NULL);
+ if ((ncname == NULL) || (len < 0)) return(NULL);
if (prefix == NULL) return((xmlChar *) ncname);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
@@ -181,9 +182,11 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
lenn = strlen((char *) ncname);
lenp = strlen((char *) prefix);
+ if (lenn >= SIZE_MAX - lenp - 1)
+ return(NULL);
- if ((memory == NULL) || (len < lenn + lenp + 2)) {
- ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ ret = xmlMalloc(lenn + lenp + 2);
if (ret == NULL)
return(NULL);
} else {
--
2.39.5
Reference in New Issue View Git Blame Copy Permalink