--- /dev/null
+From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety.
+
+Fixes #926.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
+CVE: CVE-2025-6021
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tree.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index dc3ac4f..f89e3cd 100644
+--- a/tree.c
++++ b/tree.c
+@@ -47,6 +47,10 @@
+ #include "private/error.h"
+ #include "private/tree.h"
+
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+
+ /************************************************************************
+@@ -216,16 +220,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ xmlChar *memory, int len) {
+- int lenn, lenp;
++ size_t lenn, lenp;
+ xmlChar *ret;
+
+- if (ncname == NULL) return(NULL);
++ if ((ncname == NULL) || (len < 0)) return(NULL);
+ if (prefix == NULL) return((xmlChar *) ncname);
+
+ lenn = strlen((char *) ncname);
+ lenp = strlen((char *) prefix);
++ if (lenn >= SIZE_MAX - lenp - 1)
++ return(NULL);
+
+- if ((memory == NULL) || (len < lenn + lenp + 2)) {
++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ if (ret == NULL) {
+ xmlTreeErrMemory("building QName");
+--
+2.49.0
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
