1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Fri, 20 Jun 2025 23:05:00 -0400
Subject: [PATCH] [CVE-2025-6170] Fix potential buffer overflows of interactive
shell
Fixes #941
CVE: CVE-2025-6170
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
debugXML.c | 15 ++++++++++-----
result/scripts/long_command | 8 ++++++++
test/scripts/long_command.script | 6 ++++++
test/scripts/long_command.xml | 1 +
4 files changed, 25 insertions(+), 5 deletions(-)
create mode 100644 result/scripts/long_command
create mode 100644 test/scripts/long_command.script
create mode 100644 test/scripts/long_command.xml
diff --git a/debugXML.c b/debugXML.c
index ed56b0f8..452b9573 100644
--- a/debugXML.c
+++ b/debugXML.c
@@ -1050,6 +1050,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
xmlCtxtGenericNodeCheck(ctxt, node);
}
+#define MAX_PROMPT_SIZE 500
+#define MAX_ARG_SIZE 400
+#define MAX_COMMAND_SIZE 100
+
/**
* xmlCtxtDumpNode:
* @output: the FILE * for the output
@@ -2802,10 +2806,10 @@ void
xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
FILE * output)
{
- char prompt[500] = "/ > ";
+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
char *cmdline = NULL, *cur;
- char command[100];
- char arg[400];
+ char command[MAX_COMMAND_SIZE];
+ char arg[MAX_ARG_SIZE];
int i;
xmlShellCtxtPtr ctxt;
xmlXPathObjectPtr list;
@@ -2863,7 +2867,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
cur++;
i = 0;
while ((*cur != ' ') && (*cur != '\t') &&
- (*cur != '\n') && (*cur != '\r')) {
+ (*cur != '\n') && (*cur != '\r') &&
+ (i < (MAX_COMMAND_SIZE - 1))) {
if (*cur == 0)
break;
command[i++] = *cur++;
@@ -2878,7 +2883,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
while ((*cur == ' ') || (*cur == '\t'))
cur++;
i = 0;
- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
if (*cur == 0)
break;
arg[i++] = *cur++;
diff --git a/result/scripts/long_command b/result/scripts/long_command
new file mode 100644
index 00000000..e6f00708
--- /dev/null
+++ b/result/scripts/long_command
@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1 ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b >
\ No newline at end of file
diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
new file mode 100644
index 00000000..00f6df09
--- /dev/null
+++ b/test/scripts/long_command.script
@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -
diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
new file mode 100644
index 00000000..1ba44016
--- /dev/null
+++ b/test/scripts/long_command.xml
@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>
|
