1From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Tue, 27 May 2025 12:53:17 +0200 4Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName 5 6This issue affects memory safety and might receive a CVE ID later. 7 8Fixes #926. 9--- 10 tree.c | 8 +++++--- 11 1 file changed, 5 insertions(+), 3 deletions(-) 12 13diff --git a/tree.c b/tree.c 14index 7454b07e6..e14bc62a0 100644 15--- a/tree.c 16+++ b/tree.c 17@@ -168,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { 18 xmlChar * 19 xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, 20 xmlChar *memory, int len) { 21- int lenn, lenp; 22+ size_t lenn, lenp; 23 xmlChar *ret; 24 25- if (ncname == NULL) return(NULL); 26+ if ((ncname == NULL) || (len < 0)) return(NULL); 27 if (prefix == NULL) return((xmlChar *) ncname); 28 29 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 30@@ -182,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, 31 32 lenn = strlen((char *) ncname); 33 lenp = strlen((char *) prefix); 34+ if (lenn >= SIZE_MAX - lenp - 1) 35+ return(NULL); 36 37- if ((memory == NULL) || (len < lenn + lenp + 2)) { 38+ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { 39 ret = xmlMalloc(lenn + lenp + 2); 40 if (ret == NULL) 41 return(NULL); 42-- 43GitLab 44 45