pkgs/development/libraries/libxml2/CVE-2025-6021.patch at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / pkgs / development / libraries / libxml2 / CVE-2025-6021.patch

at master 1.2 kB view raw

 1diff --git a/tree.c b/tree.c
 2index f097cf87..4d966ec9 100644
 3--- a/tree.c
 4+++ b/tree.c
 5@@ -47,6 +47,10 @@
 6 #include "private/error.h"
 7 #include "private/tree.h"
 8 
 9+#ifndef SIZE_MAX
10+  #define SIZE_MAX ((size_t) -1)
11+#endif
12+
13 int __xmlRegisterCallbacks = 0;
14 
15 /************************************************************************
16@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
17 xmlChar *
18 xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
19 	      xmlChar *memory, int len) {
20-    int lenn, lenp;
21+    size_t lenn, lenp;
22     xmlChar *ret;
23 
24-    if (ncname == NULL) return(NULL);
25+    if ((ncname == NULL) || (len < 0)) return(NULL);
26     if (prefix == NULL) return((xmlChar *) ncname);
27 
28 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
29@@ -181,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
30 
31     lenn = strlen((char *) ncname);
32     lenp = strlen((char *) prefix);
33+    if (lenn >= SIZE_MAX - lenp - 1)
34+        return(NULL);
35 
36-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
37+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
38 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
39 	if (ret == NULL)
40 	    return(NULL);