libxml2-CVE-2025-24928.patch

From 8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 11 Feb 2025 17:30:40 +0100
Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
 xmlSnprintfElements

Fixes #847.
---
 valid.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

Index: libxml2-2.11.6/valid.c
===================================================================
--- libxml2-2.11.6.orig/valid.c
+++ libxml2-2.11.6/valid.c
@@ -5252,25 +5252,25 @@ xmlSnprintfElements(char *buf, int size,
 	    return;
 	}
         switch (cur->type) {
-            case XML_ELEMENT_NODE:
+            case XML_ELEMENT_NODE: {
+                int qnameLen = xmlStrlen(cur->name);
+
+                if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
+                    qnameLen += xmlStrlen(cur->ns->prefix) + 1;
+                if (size - len < qnameLen + 10) {
+                    if ((size - len > 4) && (buf[len - 1] != '.'))
+                        strcat(buf, " ...");
+                    return;
+                }
 		if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
-		    if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
-			if ((size - len > 4) && (buf[len - 1] != '.'))
-			    strcat(buf, " ...");
-			return;
-		    }
 		    strcat(buf, (char *) cur->ns->prefix);
 		    strcat(buf, ":");
 		}
-                if (size - len < xmlStrlen(cur->name) + 10) {
-		    if ((size - len > 4) && (buf[len - 1] != '.'))
-			strcat(buf, " ...");
-		    return;
-		}
 	        strcat(buf, (char *) cur->name);
 		if (cur->next != NULL)
 		    strcat(buf, " ");
 		break;
+            }
             case XML_TEXT_NODE:
 		if (xmlIsBlankNode(cur))
 		    break;
Sync from SUSE:ALP:Source:Standard:1.0 libxml2 revision 849e9b398bef9f2381832e735a73d573 2025-04-04 15:04:07 +02:00			`From 8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Mon Sep 17 00:00:00 2001`
			`From: Nick Wellnhofer <wellnhofer@aevum.de>`
			`Date: Tue, 11 Feb 2025 17:30:40 +0100`
			`Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in`
			`xmlSnprintfElements`

			`Fixes #847.`
			`---`
			`valid.c \| 22 +++++++++++-----------`
			`1 file changed, 11 insertions(+), 11 deletions(-)`

			`Index: libxml2-2.11.6/valid.c`
			`===================================================================`
			`--- libxml2-2.11.6.orig/valid.c`
			`+++ libxml2-2.11.6/valid.c`
			`@@ -5252,25 +5252,25 @@ xmlSnprintfElements(char *buf, int size,`
			`return;`
			`}`
			`switch (cur->type) {`
			`- case XML_ELEMENT_NODE:`
			`+ case XML_ELEMENT_NODE: {`
			`+ int qnameLen = xmlStrlen(cur->name);`
			`+`
			`+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL))`
			`+ qnameLen += xmlStrlen(cur->ns->prefix) + 1;`
			`+ if (size - len < qnameLen + 10) {`
			`+ if ((size - len > 4) && (buf[len - 1] != '.'))`
			`+ strcat(buf, " ...");`
			`+ return;`
			`+ }`
			`if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {`
			`- if (size - len < xmlStrlen(cur->ns->prefix) + 10) {`
			`- if ((size - len > 4) && (buf[len - 1] != '.'))`
			`- strcat(buf, " ...");`
			`- return;`
			`- }`
			`strcat(buf, (char *) cur->ns->prefix);`
			`strcat(buf, ":");`
			`}`
			`- if (size - len < xmlStrlen(cur->name) + 10) {`
			`- if ((size - len > 4) && (buf[len - 1] != '.'))`
			`- strcat(buf, " ...");`
			`- return;`
			`- }`
			`strcat(buf, (char *) cur->name);`
			`if (cur->next != NULL)`
			`strcat(buf, " ");`
			`break;`
			`+ }`
			`case XML_TEXT_NODE:`
			`if (xmlIsBlankNode(cur))`
			`break;`