From 79abeb402f5570330f092b3dbe326798079231c9 Mon Sep 17 00:00:00 2001 From: David King Date: Tue, 16 Jun 2026 14:59:25 +0100 Subject: [PATCH] Fix potential buffer overflows of interactive shell CVE-2025-6170 Fixes #941 on 2.12 branch. Based on upstream commit 069bcda17d8194e9582c64dd4bc9dac99b015810 by Michael Mann. --- debugXML.c | 15 ++++++++++----- xmllint.c | 8 +++++--- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/debugXML.c b/debugXML.c index 303515ec..63b77ba6 100644 --- a/debugXML.c +++ b/debugXML.c @@ -2779,6 +2779,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer, return (0); } +#define MAX_PROMPT_SIZE 500 +#define MAX_ARG_SIZE 400 +#define MAX_COMMAND_SIZE 100 + /** * xmlShell: * @doc: the initial document @@ -2794,10 +2798,10 @@ void xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, FILE * output) { - char prompt[500] = "/ > "; + char prompt[MAX_PROMPT_SIZE] = "/ > "; char *cmdline = NULL, *cur; - char command[100]; - char arg[400]; + char command[MAX_COMMAND_SIZE]; + char arg[MAX_ARG_SIZE]; int i; xmlShellCtxtPtr ctxt; xmlXPathObjectPtr list; @@ -2855,7 +2859,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, cur++; i = 0; while ((*cur != ' ') && (*cur != '\t') && - (*cur != '\n') && (*cur != '\r')) { + (*cur != '\n') && (*cur != '\r') && + (i < (MAX_COMMAND_SIZE - 1))) { if (*cur == 0) break; command[i++] = *cur++; @@ -2870,7 +2875,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, while ((*cur == ' ') || (*cur == '\t')) cur++; i = 0; - while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { + while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { if (*cur == 0) break; arg[i++] = *cur++; diff --git a/xmllint.c b/xmllint.c index 4d84c640..4b2c06d9 100644 --- a/xmllint.c +++ b/xmllint.c @@ -722,6 +722,8 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...) xmlHTMLEncodeSend(); } +#define MAX_PROMPT_SIZE 500 + /************************************************************************ * * * Shell Interface * @@ -752,16 +754,16 @@ xmlShellReadline(char *prompt) { return (line_read); #else - char line_read[501]; + char line_read[MAX_PROMPT_SIZE+1]; char *ret; int len; if (prompt != NULL) fprintf(stdout, "%s", prompt); fflush(stdout); - if (!fgets(line_read, 500, stdin)) + if (!fgets(line_read, MAX_PROMPT_SIZE, stdin)) return(NULL); - line_read[500] = 0; + line_read[MAX_PROMPT_SIZE] = 0; len = strlen(line_read); ret = (char *) malloc(len + 1); if (ret != NULL) { -- 2.54.0