mirror of
https://git.yoctoproject.org/poky
synced 2026-02-26 03:19:41 +01:00
134890aca0
According to [1]
A flaw was found in libxml2's xmlBuildQName function, where integer overflows
in buffer size calculations can lead to a stack-based buffer overflow. This
issue can result in memory corruption or a denial of service when processing
crafted input.
Refer debian [2], backport a fix [3] from upstream
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6021
[2] https://security-tracker.debian.org/tracker/CVE-2025-6021
[3] acbbeef9f5
(From OE-Core rev: e3a6bf785656243b5adc0775f7480a1eb0e4ae4c)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
60 lines
1.8 KiB
Diff
60 lines
1.8 KiB
Diff
From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Tue, 27 May 2025 12:53:17 +0200
|
|
Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
|
|
|
|
This issue affects memory safety and might receive a CVE ID later.
|
|
|
|
Fixes #926.
|
|
|
|
Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
|
Add '#include <stdint.h>' to assure the definition of SIZE_MAX
|
|
CVE: CVE-2025-6021
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
---
|
|
tree.c | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/tree.c b/tree.c
|
|
index 7454b07..22ec11c 100644
|
|
--- a/tree.c
|
|
+++ b/tree.c
|
|
@@ -23,6 +23,7 @@
|
|
#include <limits.h>
|
|
#include <ctype.h>
|
|
#include <stdlib.h>
|
|
+#include <stdint.h>
|
|
|
|
#ifdef LIBXML_ZLIB_ENABLED
|
|
#include <zlib.h>
|
|
@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
|
|
xmlChar *
|
|
xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
|
|
xmlChar *memory, int len) {
|
|
- int lenn, lenp;
|
|
+ size_t lenn, lenp;
|
|
xmlChar *ret;
|
|
|
|
- if (ncname == NULL) return(NULL);
|
|
+ if ((ncname == NULL) || (len < 0)) return(NULL);
|
|
if (prefix == NULL) return((xmlChar *) ncname);
|
|
|
|
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
|
@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
|
|
|
|
lenn = strlen((char *) ncname);
|
|
lenp = strlen((char *) prefix);
|
|
+ if (lenn >= SIZE_MAX - lenp - 1)
|
|
+ return(NULL);
|
|
|
|
- if ((memory == NULL) || (len < lenn + lenp + 2)) {
|
|
+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
|
|
ret = xmlMalloc(lenn + lenp + 2);
|
|
if (ret == NULL)
|
|
return(NULL);
|
|
--
|
|
2.34.1
|
|
|