rpms/libxml2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix parser error (RHEL-126803)

Browse Source 
Resolves: RHEL-126803
This commit is contained in:
David King 2026-05-30 10:11:13 +01:00
parent 656ac29913
commit c671286b5d
2 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
libxml2-2.12.5-extra-content-parser-error.patch Normal file
View File

@ -0,0 +1,84 @@
From 9bb32f5a7db09951187a608d7ba1b71b41127da0 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 2 Jan 2024 17:52:43 +0100
Subject: [PATCH] parser: Fix buffer size checks
Don't test size of remaining data. This causes false positives with
memory buffers.
Also impose XML_MAX_HUGE_LENGTH limit when parsing with XML_PARSE_HUGE.
---
parser.c | 15 ++++++++++-----
parserInternals.c | 14 ++++++++------
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/parser.c b/parser.c
index 845e0fd3..77106c1d 100644
--- a/parser.c
+++ b/parser.c
@@ -12198,6 +12198,8 @@ encoding_error:
int
xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
int terminate) {
+ size_t curBase;
+ size_t maxLength;
int end_in_lf = 0;
if (ctxt == NULL)
@@ -12236,13 +12238,16 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
if (ctxt->instate == XML_PARSER_EOF)
return(ctxt->errNo);
- if ((ctxt->input != NULL) &&
- (((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) ||
- ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+ curBase = ctxt->input->cur - ctxt->input->base;
+ maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_LOOKUP_LIMIT;
+ if (curBase > maxLength) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "Buffer size limit exceeded, try XML_PARSE_HUGE\n");
xmlHaltParser(ctxt);
}
+
if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
return(ctxt->errNo);
diff --git a/parserInternals.c b/parserInternals.c
index 166397bd..9484ebdd 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -511,8 +511,11 @@ int
xmlParserGrow(xmlParserCtxtPtr ctxt) {
xmlParserInputPtr in = ctxt->input;
xmlParserInputBufferPtr buf = in->buf;
- ptrdiff_t curEnd = in->end - in->cur;
- ptrdiff_t curBase = in->cur - in->base;
+ size_t curEnd = in->end - in->cur;
+ size_t curBase = in->cur - in->base;
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+ XML_MAX_HUGE_LENGTH :
+ XML_MAX_LOOKUP_LIMIT;
int ret;
if (buf == NULL)
@@ -526,10 +529,9 @@ xmlParserGrow(xmlParserCtxtPtr ctxt) {
if (buf->error != 0)
return(-1);
- if (((curEnd > XML_MAX_LOOKUP_LIMIT) ||
- (curBase > XML_MAX_LOOKUP_LIMIT)) &&
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
- xmlErrMemory(ctxt, "Huge input lookup");
+ if (curBase > maxLength) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "Buffer size limit exceeded, try XML_PARSE_HUGE\n");
xmlHaltParser(ctxt);
return(-1);
}
--
2.54.0

8
libxml2.spec
View File

@ -1,6 +1,6 @@
Name: libxml2
Version: 2.12.5
Release: 11%{?dist}
Release: 12%{?dist}
Summary: Library providing XML and HTML support
# list.c, dict.c and few others use ISC-Veillard
@ -41,6 +41,9 @@ Patch10: libxml2-2.12.5-CVE-2025-32414.patch
Patch11: libxml2-2.12.5-xmllint-error-code.patch
# https://redhat.atlassian.net/browse/RHEL-36782
Patch12: libxml2-2.12.5-CVE-2024-34459.patch
# https://gitlab.gnome.org/GNOME/libxml2/-/commit/85f99023ae2eaec94ae0799fd37281a7f234d99a.patch
# https://redhat.atlassian.net/browse/RHEL-126803
Patch13: libxml2-2.12.5-extra-content-parser-error.patch
BuildRequires: cmake-rpm-macros
BuildRequires: gcc
@ -181,6 +184,9 @@ popd
%{python3_sitelib}/__pycache__/drv_libxml2.*
%changelog
* Sat May 30 2026 David King <dking@redhat.com> - 2.12.5-12
- Fix parser error (RHEL-126803)
* Mon May 18 2026 David King <dking@redhat.com> - 2.12.5-11
- Fix CVE-2024-34459 (RHEL-36782)