c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements

Browse Source 
Fixes #847.
This commit is contained in:
Nick Wellnhofer 2025-02-11 17:30:40 +01:00
parent 245b70d7d2
commit 858ca26c06
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
valid.c
View File

@ -5057,25 +5057,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
return; return;
} }
switch (cur->type) { switch (cur->type) {
case XML_ELEMENT_NODE: case XML_ELEMENT_NODE: {
int qnameLen = xmlStrlen(cur->name);
if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
qnameLen += xmlStrlen(cur->ns->prefix) + 1;
if (size - len < qnameLen + 10) {
if ((size - len > 4) && (buf[len - 1] != '.'))
strcat(buf, " ...");
return;
}
if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
if ((size - len > 4) && (buf[len - 1] != '.'))
strcat(buf, " ...");
return;
}
strcat(buf, (char *) cur->ns->prefix); strcat(buf, (char *) cur->ns->prefix);
strcat(buf, ":"); strcat(buf, ":");
} }
if (size - len < xmlStrlen(cur->name) + 10) { if (cur->name != NULL)
if ((size - len > 4) && (buf[len - 1] != '.')) strcat(buf, (char *) cur->name);
strcat(buf, " ...");
return;
}
strcat(buf, (char *) cur->name);
if (cur->next != NULL) if (cur->next != NULL)
strcat(buf, " "); strcat(buf, " ");
break; break;
}
case XML_TEXT_NODE: case XML_TEXT_NODE:
if (xmlIsBlankNode(cur)) if (xmlIsBlankNode(cur))
break; break;