1From 8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Tue, 11 Feb 2025 17:30:40 +0100 4Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in 5 xmlSnprintfElements 6 7Fixes #847. 8--- 9 valid.c | 22 +++++++++++----------- 10 1 file changed, 11 insertions(+), 11 deletions(-) 11 12diff --git a/valid.c b/valid.c 13index d63137fa0..6a8ae1fb4 100644 14--- a/valid.c 15+++ b/valid.c 16@@ -4997,26 +4997,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { 17 return; 18 } 19 switch (cur->type) { 20- case XML_ELEMENT_NODE: 21+ case XML_ELEMENT_NODE: { 22+ int qnameLen = xmlStrlen(cur->name); 23+ 24+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) 25+ qnameLen += xmlStrlen(cur->ns->prefix) + 1; 26+ if (size - len < qnameLen + 10) { 27+ if ((size - len > 4) && (buf[len - 1] != '.')) 28+ strcat(buf, " ..."); 29+ return; 30+ } 31 if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { 32- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { 33- if ((size - len > 4) && (buf[len - 1] != '.')) 34- strcat(buf, " ..."); 35- return; 36- } 37 strcat(buf, (char *) cur->ns->prefix); 38 strcat(buf, ":"); 39 } 40- if (size - len < xmlStrlen(cur->name) + 10) { 41- if ((size - len > 4) && (buf[len - 1] != '.')) 42- strcat(buf, " ..."); 43- return; 44- } 45 if (cur->name != NULL) 46 strcat(buf, (char *) cur->name); 47 if (cur->next != NULL) 48 strcat(buf, " "); 49 break; 50+ } 51 case XML_TEXT_NODE: 52 if (xmlIsBlankNode(cur)) 53 break; 54-- 55GitLab 56 57