From 16195a7a6d76e654af06b14e401997c4103cf984 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Fri, 13 Jun 2025 18:48:26 +0100
Subject: [PATCH] Fix integer overflow (RHEL-74345)

Resolves: RHEL-74345
---
 libxml2-clamp-output-bytes-overflow.patch | 56 +++++++++++++++++++++++
 libxml2.spec                              |  7 ++-
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 libxml2-clamp-output-bytes-overflow.patch

diff --git a/libxml2-clamp-output-bytes-overflow.patch b/libxml2-clamp-output-bytes-overflow.patch
new file mode 100644
index 0000000..fdfcb41
--- /dev/null
+++ b/libxml2-clamp-output-bytes-overflow.patch
@@ -0,0 +1,56 @@
+From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 14 Oct 2019 16:56:59 +0200
+Subject: [PATCH] Fix integer overflow when counting written bytes
+
+Check for integer overflow when updating the `written` member of
+struct xmlOutputBuffer in xmlIO.c.
+
+Closes #112. Resolves !54 and !55.
+---
+ xmlIO.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/xmlIO.c b/xmlIO.c
+index 2a1e2cb08..752d5e0a0 100644
+--- a/xmlIO.c
++++ b/xmlIO.c
+@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
+ 		out->error = XML_IO_WRITE;
+ 		return(ret);
+ 	    }
+-	    out->written += ret;
++            if (out->written > INT_MAX - ret)
++                out->written = INT_MAX;
++            else
++                out->written += ret;
+ 	}
+ 	written += nbchars;
+     } while (len > 0);
+@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
+ 		out->error = XML_IO_WRITE;
+ 		return(ret);
+ 	    }
+-	    out->written += ret;
++            if (out->written > INT_MAX - ret)
++                out->written = INT_MAX;
++            else
++                out->written += ret;
+ 	} else if (xmlBufAvail(out->buffer) < MINLEN) {
+ 	    xmlBufGrow(out->buffer, MINLEN);
+ 	}
+@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
+ 	out->error = XML_IO_FLUSH;
+ 	return(ret);
+     }
+-    out->written += ret;
++    if (out->written > INT_MAX - ret)
++        out->written = INT_MAX;
++    else
++        out->written += ret;
+ 
+ #ifdef DEBUG_INPUT
+     xmlGenericError(xmlGenericErrorContext,
+-- 
+GitLab
+
diff --git a/libxml2.spec b/libxml2.spec
index 66fece8..5185eac 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -7,7 +7,7 @@
 
 Name:           libxml2
 Version:        2.9.7
-Release:        20%{?dist}
+Release:        21%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -72,6 +72,8 @@ Patch27:        libxml2-2.9.13-CVE-2024-56171.patch
 Patch28:        libxml2-2.9.13-CVE-2025-24928.patch
 # https://issues.redhat.com/browse/RHEL-88198
 Patch29:         libxml2-2.9.13-CVE-2025-32414.patch
+# https://issues.redhat.com/browse/RHEL-74345
+Patch30:         libxml2-clamp-output-bytes-overflow.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@@ -243,6 +245,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Fri Jun 13 2025 David King <dking@redhat.com> - 2.9.7-21
+- Fix integer overflow (RHEL-74345)
+
 * Thu Jun 05 2025 David King <dking@redhat.com> - 2.9.7-20
 - Fix CVE-2025-32414 (RHEL-88198)