forked from pool/libxml2
Petr Gajdos
1ff66409f6
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxml2?expand=0&rev=247
50 lines
1.5 KiB
Diff
50 lines
1.5 KiB
Diff
From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Tue, 27 May 2025 12:53:17 +0200
|
|
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
|
|
|
|
This issue affects memory safety and might receive a CVE ID later.
|
|
|
|
Fixes #926.
|
|
---
|
|
tree.c | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
Index: libxml2-2.13.8/tree.c
|
|
===================================================================
|
|
--- libxml2-2.13.8.orig/tree.c
|
|
+++ libxml2-2.13.8/tree.c
|
|
@@ -22,6 +22,7 @@
|
|
#include <stddef.h>
|
|
#include <limits.h>
|
|
#include <ctype.h>
|
|
+#include <stdint.h>
|
|
#include <stdlib.h>
|
|
|
|
#ifdef LIBXML_ZLIB_ENABLED
|
|
@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDt
|
|
xmlChar *
|
|
xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
|
|
xmlChar *memory, int len) {
|
|
- int lenn, lenp;
|
|
+ size_t lenn, lenp;
|
|
xmlChar *ret;
|
|
|
|
- if (ncname == NULL) return(NULL);
|
|
+ if ((ncname == NULL) || (len < 0)) return(NULL);
|
|
if (prefix == NULL) return((xmlChar *) ncname);
|
|
|
|
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
|
@@ -181,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, con
|
|
|
|
lenn = strlen((char *) ncname);
|
|
lenp = strlen((char *) prefix);
|
|
+ if (lenn >= SIZE_MAX - lenp - 1)
|
|
+ return(NULL);
|
|
|
|
- if ((memory == NULL) || (len < lenn + lenp + 2)) {
|
|
+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
|
|
ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
|
|
if (ret == NULL)
|
|
return(NULL);
|