diff --git a/libxml2-2.12.5-extra-content-parser-error.patch b/libxml2-2.12.5-extra-content-parser-error.patch new file mode 100644 index 0000000..fed6fcb --- /dev/null +++ b/libxml2-2.12.5-extra-content-parser-error.patch @@ -0,0 +1,84 @@ +From 9bb32f5a7db09951187a608d7ba1b71b41127da0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 2 Jan 2024 17:52:43 +0100 +Subject: [PATCH] parser: Fix buffer size checks + +Don't test size of remaining data. This causes false positives with +memory buffers. + +Also impose XML_MAX_HUGE_LENGTH limit when parsing with XML_PARSE_HUGE. +--- + parser.c | 15 ++++++++++----- + parserInternals.c | 14 ++++++++------ + 2 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/parser.c b/parser.c +index 845e0fd3..77106c1d 100644 +--- a/parser.c ++++ b/parser.c +@@ -12198,6 +12198,8 @@ encoding_error: + int + xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size, + int terminate) { ++ size_t curBase; ++ size_t maxLength; + int end_in_lf = 0; + + if (ctxt == NULL) +@@ -12236,13 +12238,16 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size, + if (ctxt->instate == XML_PARSER_EOF) + return(ctxt->errNo); + +- if ((ctxt->input != NULL) && +- (((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) || +- ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); ++ curBase = ctxt->input->cur - ctxt->input->base; ++ maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_LOOKUP_LIMIT; ++ if (curBase > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "Buffer size limit exceeded, try XML_PARSE_HUGE\n"); + xmlHaltParser(ctxt); + } ++ + if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) + return(ctxt->errNo); + +diff --git a/parserInternals.c b/parserInternals.c +index 166397bd..9484ebdd 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -511,8 +511,11 @@ int + xmlParserGrow(xmlParserCtxtPtr ctxt) { + xmlParserInputPtr in = ctxt->input; + xmlParserInputBufferPtr buf = in->buf; +- ptrdiff_t curEnd = in->end - in->cur; +- ptrdiff_t curBase = in->cur - in->base; ++ size_t curEnd = in->end - in->cur; ++ size_t curBase = in->cur - in->base; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_LOOKUP_LIMIT; + int ret; + + if (buf == NULL) +@@ -526,10 +529,9 @@ xmlParserGrow(xmlParserCtxtPtr ctxt) { + if (buf->error != 0) + return(-1); + +- if (((curEnd > XML_MAX_LOOKUP_LIMIT) || +- (curBase > XML_MAX_LOOKUP_LIMIT)) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlErrMemory(ctxt, "Huge input lookup"); ++ if (curBase > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "Buffer size limit exceeded, try XML_PARSE_HUGE\n"); + xmlHaltParser(ctxt); + return(-1); + } +-- +2.54.0 + diff --git a/libxml2.spec b/libxml2.spec index 669c5a7..26260d5 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,6 +1,6 @@ Name: libxml2 Version: 2.12.5 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Library providing XML and HTML support # list.c, dict.c and few others use ISC-Veillard @@ -41,6 +41,9 @@ Patch10: libxml2-2.12.5-CVE-2025-32414.patch Patch11: libxml2-2.12.5-xmllint-error-code.patch # https://redhat.atlassian.net/browse/RHEL-36782 Patch12: libxml2-2.12.5-CVE-2024-34459.patch +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/85f99023ae2eaec94ae0799fd37281a7f234d99a.patch +# https://redhat.atlassian.net/browse/RHEL-126803 +Patch13: libxml2-2.12.5-extra-content-parser-error.patch BuildRequires: cmake-rpm-macros BuildRequires: gcc @@ -181,6 +184,9 @@ popd %{python3_sitelib}/__pycache__/drv_libxml2.* %changelog +* Sat May 30 2026 David King - 2.12.5-12 +- Fix parser error (RHEL-126803) + * Mon May 18 2026 David King - 2.12.5-11 - Fix CVE-2024-34459 (RHEL-36782)