diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch')
| -rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch new file mode 100644 index 0000000000..97bf75f059 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Maks Verver <maks@verver.ch> | ||
| 3 | Date: Tue, 8 Apr 2025 13:13:55 +0200 | ||
| 4 | Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters. | ||
| 5 | |||
| 6 | Fixes #889 by reserving space in the buffer for UTF-8 encoding of text. | ||
| 7 | |||
| 8 | CVE: CVE-2025-32414 | ||
| 9 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2] | ||
| 10 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 11 | --- | ||
| 12 | python/libxml.c | 28 ++++++++++++++++++---------- | ||
| 13 | 1 file changed, 18 insertions(+), 10 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/python/libxml.c b/python/libxml.c | ||
| 16 | index 1fe8d685..2bf14078 100644 | ||
| 17 | --- a/python/libxml.c | ||
| 18 | +++ b/python/libxml.c | ||
| 19 | @@ -248,7 +248,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { | ||
| 20 | |||
| 21 | file = (PyObject *) context; | ||
| 22 | if (file == NULL) return(-1); | ||
| 23 | - ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len); | ||
| 24 | + /* When read() returns a string, the length is in characters not bytes, so | ||
| 25 | + request at most len / 4 characters to leave space for UTF-8 encoding. */ | ||
| 26 | + ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); | ||
| 27 | if (ret == NULL) { | ||
| 28 | printf("xmlPythonFileReadRaw: result is NULL\n"); | ||
| 29 | return(-1); | ||
| 30 | @@ -283,10 +285,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { | ||
| 31 | Py_DECREF(ret); | ||
| 32 | return(-1); | ||
| 33 | } | ||
| 34 | - if (lenread > len) | ||
| 35 | - memcpy(buffer, data, len); | ||
| 36 | - else | ||
| 37 | - memcpy(buffer, data, lenread); | ||
| 38 | + if (lenread < 0 || lenread > len) { | ||
| 39 | + printf("xmlPythonFileReadRaw: invalid lenread\n"); | ||
| 40 | + Py_DECREF(ret); | ||
| 41 | + return(-1); | ||
| 42 | + } | ||
| 43 | + memcpy(buffer, data, lenread); | ||
| 44 | Py_DECREF(ret); | ||
| 45 | return(lenread); | ||
| 46 | } | ||
| 47 | @@ -310,7 +314,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { | ||
| 48 | |||
| 49 | file = (PyObject *) context; | ||
| 50 | if (file == NULL) return(-1); | ||
| 51 | - ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len); | ||
| 52 | + /* When io_read() returns a string, the length is in characters not bytes, so | ||
| 53 | + request at most len / 4 characters to leave space for UTF-8 encoding. */ | ||
| 54 | + ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); | ||
| 55 | if (ret == NULL) { | ||
| 56 | printf("xmlPythonFileRead: result is NULL\n"); | ||
| 57 | return(-1); | ||
| 58 | @@ -345,10 +351,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { | ||
| 59 | Py_DECREF(ret); | ||
| 60 | return(-1); | ||
| 61 | } | ||
| 62 | - if (lenread > len) | ||
| 63 | - memcpy(buffer, data, len); | ||
| 64 | - else | ||
| 65 | - memcpy(buffer, data, lenread); | ||
| 66 | + if (lenread < 0 || lenread > len) { | ||
| 67 | + printf("xmlPythonFileRead: invalid lenread\n"); | ||
| 68 | + Py_DECREF(ret); | ||
| 69 | + return(-1); | ||
| 70 | + } | ||
| 71 | + memcpy(buffer, data, lenread); | ||
| 72 | Py_DECREF(ret); | ||
| 73 | return(lenread); | ||
| 74 | } | ||