rpms/libxml2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix integer overflow (RHEL-74345)

Browse Source 
Resolves: RHEL-74345
This commit is contained in:
David King 2025-06-13 18:48:26 +01:00
parent 99da0bf84e
commit 16195a7a6d
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
libxml2-clamp-output-bytes-overflow.patch Normal file
View File

@ -0,0 +1,56 @@
From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 14 Oct 2019 16:56:59 +0200
Subject: [PATCH] Fix integer overflow when counting written bytes
Check for integer overflow when updating the `written` member of
struct xmlOutputBuffer in xmlIO.c.
Closes #112. Resolves !54 and !55.
---
xmlIO.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/xmlIO.c b/xmlIO.c
index 2a1e2cb08..752d5e0a0 100644
--- a/xmlIO.c
+++ b/xmlIO.c
@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
out->error = XML_IO_WRITE;
return(ret);
}
- out->written += ret;
+ if (out->written > INT_MAX - ret)
+ out->written = INT_MAX;
+ else
+ out->written += ret;
}
written += nbchars;
} while (len > 0);
@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
out->error = XML_IO_WRITE;
return(ret);
}
- out->written += ret;
+ if (out->written > INT_MAX - ret)
+ out->written = INT_MAX;
+ else
+ out->written += ret;
} else if (xmlBufAvail(out->buffer) < MINLEN) {
xmlBufGrow(out->buffer, MINLEN);
}
@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
out->error = XML_IO_FLUSH;
return(ret);
}
- out->written += ret;
+ if (out->written > INT_MAX - ret)
+ out->written = INT_MAX;
+ else
+ out->written += ret;
#ifdef DEBUG_INPUT
xmlGenericError(xmlGenericErrorContext,
--
GitLab

7
libxml2.spec
View File

@ -7,7 +7,7 @@
Name: libxml2
Version: 2.9.7
Release: 20%{?dist}
Release: 21%{?dist}
Summary: Library providing XML and HTML support
License: MIT
@ -72,6 +72,8 @@ Patch27: libxml2-2.9.13-CVE-2024-56171.patch
Patch28: libxml2-2.9.13-CVE-2025-24928.patch
# https://issues.redhat.com/browse/RHEL-88198
Patch29: libxml2-2.9.13-CVE-2025-32414.patch
# https://issues.redhat.com/browse/RHEL-74345
Patch30: libxml2-clamp-output-bytes-overflow.patch
BuildRequires: gcc
BuildRequires: cmake-rpm-macros
@ -243,6 +245,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%{python3_sitearch}/libxml2mod.so
%changelog
* Fri Jun 13 2025 David King <dking@redhat.com> - 2.9.7-21
- Fix integer overflow (RHEL-74345)
* Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20
- Fix CVE-2025-32414 (RHEL-88198)