summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch')
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
new file mode 100644
index 0000000000..6da43f81a5
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
@@ -0,0 +1,58 @@
1From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 11 Feb 2025 17:30:40 +0100
4Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
5 xmlSnprintfElements
6
7Fixes #847.
8
9CVE: CVE-2025-24928
10Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/858ca26c0689161a6b903a6682cc8a1cc10a0ea8]
11Signed-off-by: Peter Marko <peter.marko@siemens.com>
12---
13 valid.c | 25 +++++++++++++------------
14 1 file changed, 13 insertions(+), 12 deletions(-)
15
16diff --git a/valid.c b/valid.c
17index ed3c8503..36a0435b 100644
18--- a/valid.c
19+++ b/valid.c
20@@ -5259,25 +5259,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
21 return;
22 }
23 switch (cur->type) {
24- case XML_ELEMENT_NODE:
25+ case XML_ELEMENT_NODE: {
26+ int qnameLen = xmlStrlen(cur->name);
27+
28+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
29+ qnameLen += xmlStrlen(cur->ns->prefix) + 1;
30+ if (size - len < qnameLen + 10) {
31+ if ((size - len > 4) && (buf[len - 1] != '.'))
32+ strcat(buf, " ...");
33+ return;
34+ }
35 if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
36- if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
37- if ((size - len > 4) && (buf[len - 1] != '.'))
38- strcat(buf, " ...");
39- return;
40- }
41 strcat(buf, (char *) cur->ns->prefix);
42 strcat(buf, ":");
43 }
44- if (size - len < xmlStrlen(cur->name) + 10) {
45- if ((size - len > 4) && (buf[len - 1] != '.'))
46- strcat(buf, " ...");
47- return;
48- }
49- strcat(buf, (char *) cur->name);
50+ if (cur->name != NULL)
51+ strcat(buf, (char *) cur->name);
52 if (cur->next != NULL)
53 strcat(buf, " ");
54 break;
55+ }
56 case XML_TEXT_NODE:
57 if (xmlIsBlankNode(cur))
58 break;