1From edd40353cfd6807b5395386fe2b8471abce752c6 Mon Sep 17 00:00:00 2001 2From: Maks Verver <maks@verver.ch> 3Date: Tue, 8 Apr 2025 13:13:55 +0200 4Subject: [PATCH] [Backport][CVE-2025-32414] python: Read at most len/4 5CVE: CVE-2025-32414 6Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/53d259454161eee801d22c56e08ea331b4c495b5 7--- 8 python/libxml.c | 28 ++++++++++++++++++---------- 9 1 file changed, 18 insertions(+), 10 deletions(-) 10 11diff --git a/python/libxml.c b/python/libxml.c 12index 5dea502..0a1e408 100644 13--- a/python/libxml.c 14+++ b/python/libxml.c 15@@ -237,7 +237,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { 16 17 file = (PyObject *) context; 18 if (file == NULL) return(-1); 19- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len); 20+ /* When read() returns a string, the length is in characters not bytes, so 21+ request at most len / 4 characters to leave space for UTF-8 encoding. */ 22+ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); 23 if (ret == NULL) { 24 printf("xmlPythonFileReadRaw: result is NULL\n"); 25 return(-1); 26@@ -272,10 +274,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { 27 Py_DECREF(ret); 28 return(-1); 29 } 30- if (lenread > len) 31- memcpy(buffer, data, len); 32- else 33- memcpy(buffer, data, lenread); 34+ if (lenread < 0 || lenread > len) { 35+ printf("xmlPythonFileReadRaw: invalid lenread\n"); 36+ Py_DECREF(ret); 37+ return(-1); 38+ } 39+ memcpy(buffer, data, lenread); 40 Py_DECREF(ret); 41 return(lenread); 42 } 43@@ -299,7 +303,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { 44 45 file = (PyObject *) context; 46 if (file == NULL) return(-1); 47- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len); 48+ /* When io_read() returns a string, the length is in characters not bytes, so 49+ request at most len / 4 characters to leave space for UTF-8 encoding. */ 50+ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); 51 if (ret == NULL) { 52 printf("xmlPythonFileRead: result is NULL\n"); 53 return(-1); 54@@ -334,10 +340,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { 55 Py_DECREF(ret); 56 return(-1); 57 } 58- if (lenread > len) 59- memcpy(buffer, data, len); 60- else 61- memcpy(buffer, data, lenread); 62+ if (lenread < 0 || lenread > len) { 63+ printf("xmlPythonFileRead: invalid lenread\n"); 64+ Py_DECREF(ret); 65+ return(-1); 66+ } 67+ memcpy(buffer, data, lenread); 68 Py_DECREF(ret); 69 return(lenread); 70 } 71-- 722.1.4 73 74