1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
new file mode 100644
index 0000000000..157486848b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
+From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+This issue affects memory safety and might receive a CVE ID later.
+Fixes #926.
+Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
+Add '#include <stdint.h>' to assure the definition of SIZE_MAX
+CVE: CVE-2025-6021
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ tree.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/tree.c b/tree.c
+index 7454b07..22ec11c 100644
+--- a/tree.c
+++ b/tree.c
+@@ -23,6 +23,7 @@
+ #include <limits.h>
+ #include <ctype.h>
+ #include <stdlib.h>
+#include <stdint.h>
+ 
+ #ifdef LIBXML_ZLIB_ENABLED
+ #include <zlib.h>
+@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+              xmlChar *memory, int len) {
+-    int lenn, lenp;
+    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+        ret = xmlMalloc(lenn + lenp + 2);
+        if (ret == NULL)
+            return(NULL);
+-- 
+2.34.1

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch new file mode 100644 index 0000000000..157486848b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
	1	From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Tue, 27 May 2025 12:53:17 +0200
	4	Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
	5
	6	This issue affects memory safety and might receive a CVE ID later.
	7
	8	Fixes #926.
	9
	10	Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
	11
	12	Add '#include <stdint.h>' to assure the definition of SIZE_MAX
	13	CVE: CVE-2025-6021
	14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
	15	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
	16	---
	17	tree.c \| 9 ++++++---
	18	1 file changed, 6 insertions(+), 3 deletions(-)
	19
	20	diff --git a/tree.c b/tree.c
	21	index 7454b07..22ec11c 100644
	22	--- a/tree.c
	23	+++ b/tree.c
	24	@@ -23,6 +23,7 @@
	25	#include <limits.h>
	26	#include <ctype.h>
	27	#include <stdlib.h>
	28	+#include <stdint.h>
	29
	30	#ifdef LIBXML_ZLIB_ENABLED
	31	#include <zlib.h>
	32	@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd dtd, const xmlChar name) {
	33	xmlChar *
	34	xmlBuildQName(const xmlChar ncname, const xmlChar prefix,
	35	xmlChar *memory, int len) {
	36	- int lenn, lenp;
	37	+ size_t lenn, lenp;
	38	xmlChar *ret;
	39
	40	- if (ncname == NULL) return(NULL);
	41	+ if ((ncname == NULL) \|\| (len < 0)) return(NULL);
	42	if (prefix == NULL) return((xmlChar *) ncname);
	43
	44	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
	45	@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar ncname, const xmlChar prefix,
	46
	47	lenn = strlen((char *) ncname);
	48	lenp = strlen((char *) prefix);
	49	+ if (lenn >= SIZE_MAX - lenp - 1)
	50	+ return(NULL);
	51
	52	- if ((memory == NULL) \|\| (len < lenn + lenp + 2)) {
	53	+ if ((memory == NULL) \|\| ((size_t) len < lenn + lenp + 2)) {
	54	ret = xmlMalloc(lenn + lenp + 2);
	55	if (ret == NULL)
	56	return(NULL);
	57	--
	58	2.34.1
	59