diff --git a/Fix-CVE-2019-19956.patch b/Fix-CVE-2019-19956.patch new file mode 100644 index 0000000000000000000000000000000000000000..0d9ba3837cae99b60e73aeb93ffdc00c1eb91a2f --- /dev/null +++ b/Fix-CVE-2019-19956.patch @@ -0,0 +1,15 @@ +diff --git a/parser.c b/parser.c +index 0f58bf7..bcf9a2e 100644 +--- a/parser.c ++++ b/parser.c +@@ -13877,8 +13877,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + xmlFreeParserCtxt(ctxt); + newDoc->intSubset = NULL; + newDoc->extSubset = NULL; +- /* This leaks the namespace list if doc == NULL */ +- newDoc->oldNs = NULL; ++ if(doc != NULL) ++ newDoc->oldNs = NULL; + xmlFreeDoc(newDoc); + + return(ret); diff --git a/Fix-CVE-2025-24928.patch b/Fix-CVE-2025-24928.patch index 7e38b314a59c2761aeff4280cab2974d7751f6ac..0a0653b94daa21decf6c444d5a594fce4a174864 100644 --- a/Fix-CVE-2025-24928.patch +++ b/Fix-CVE-2025-24928.patch @@ -1,19 +1,8 @@ -From 8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 11 Feb 2025 17:30:40 +0100 -Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in - xmlSnprintfElements - -Fixes #847. ---- - valid.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - diff --git a/valid.c b/valid.c -index d63137fa0..6a8ae1fb4 100644 +index 92aaedb..2ba5cdd 100644 --- a/valid.c +++ b/valid.c -@@ -4997,26 +4997,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { +@@ -5268,25 +5268,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { return; } switch (cur->type) { @@ -42,15 +31,15 @@ index d63137fa0..6a8ae1fb4 100644 - strcat(buf, " ..."); - return; - } - if (cur->name != NULL) - strcat(buf, (char *) cur->name); - if (cur->next != NULL) - strcat(buf, " "); +- strcat(buf, (char *) cur->name); +- if (cur->next != NULL) +- strcat(buf, " "); ++ if (cur->name != NULL) ++ strcat(buf, (char *) cur->name); ++ if (cur->next != NULL) ++ strcat(buf, " "); break; -+ } ++ } case XML_TEXT_NODE: if (xmlIsBlankNode(cur)) break; --- -GitLab - diff --git a/Fix-malloc-fail.patch b/Fix-malloc-fail.patch index e8ec411f6b810c8e62f3216397fc7f5a1f5503ec..3edbb299c55f32c61dfbfd2bc0ca61b4ccd92376 100644 --- a/Fix-malloc-fail.patch +++ b/Fix-malloc-fail.patch @@ -1,8 +1,8 @@ diff --git a/buf.c b/buf.c -index 40a5ee06..1fa975a6 100644 +index d8992f7..1ae7542 100644 --- a/buf.c +++ b/buf.c -@@ -1265,7 +1265,7 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) { +@@ -1261,7 +1261,7 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) { */ int xmlBufResetInput(xmlBufPtr buf, xmlParserInputPtr input) { @@ -10,4 +10,4 @@ index 40a5ee06..1fa975a6 100644 + if ((input == NULL) || (buf == NULL)) return(-1); CHECK_COMPAT(buf) - input->base = input->cur = buf->content; \ No newline at end of file + input->base = input->cur = buf->content; diff --git a/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch b/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch new file mode 100644 index 0000000000000000000000000000000000000000..b708cd3a7700e9d40eaae5a3e73445f6bd578520 --- /dev/null +++ b/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch @@ -0,0 +1,50 @@ +From 9f8484602f53ac23c5af031c96c36829191e6b92 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 9 Mar 2025 13:31:10 +0100 +Subject: [PATCH] malloc-fail: Fix type confusion in + xmlSchemaCheckAGPropsCorrect + +Attribute groups must be marked as containing references also if an OOM +error occurred. Otherwise, references won't be resolved, leading to type +confusion in xmlSchemaCheckAGPropsCorrect later in the fixup phase. + +I'm not sure why xmlSchemaFixupComponents is called at all if an error +occurred. This has lead to similar issues in the past. On the other +hand, continuing in the presence of errors helps when fuzzing. + +See #344. +--- + xmlschemas.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index b3214f508..796e0edf4 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -7715,6 +7715,7 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt, + xmlNodePtr child = NULL; + xmlAttrPtr attr; + int hasRefs = 0; ++ int res; + + if ((pctxt == NULL) || (schema == NULL) || (node == NULL)) + return (NULL); +@@ -7769,12 +7770,13 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt, + /* + * Parse contained attribute decls/refs. + */ +- if (xmlSchemaParseLocalAttributes(pctxt, schema, &child, ++ res = xmlSchemaParseLocalAttributes(pctxt, schema, &child, + (xmlSchemaItemListPtr *) &(ret->attrUses), +- XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs) == -1) +- return(NULL); ++ XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs); + if (hasRefs) + ret->flags |= XML_SCHEMAS_ATTRGROUP_HAS_REFS; ++ if (res == -1) ++ return(NULL); + /* + * Parse the attribute wildcard. + */ +-- +GitLab \ No newline at end of file diff --git a/install.py b/install.py index 9fdb8399c1bcdf5b663c3a4126cd68eff5902b5c..b7ebc782da7a64035a767e4738590ba3e8f7902d 100755 --- a/install.py +++ b/install.py @@ -91,7 +91,6 @@ def do_patch(args, target_dir): "backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch", "backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch", "backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch", "backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch", "backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch", "backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch", @@ -233,7 +232,9 @@ def do_patch(args, target_dir): "Fix-CVE-2024-34459.patch", "Fix-CVE-2024-56171.patch", "Fix-CVE-2025-24928.patch", - "Fix-CVE-2025-27113.patch" + "Fix-CVE-2025-27113.patch", + "Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch", + "Fix-CVE-2019-19956.patch" ] for patch in patch_file: