From da4b4a6815222bc02a42a7609813a04b837e98ec Mon Sep 17 00:00:00 2001
From: limin <limin191@huawei.com>
Date: Wed, 18 Jun 2025 14:46:21 +0800
Subject: [PATCH] =?UTF-8?q?libxml2=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?=E8=A1=A5=E4=B8=81=E5=9B=9E=E5=90=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: limin <limin191@huawei.com>
---
 BUILD.gn                                      |  1 +
 ...-integer-overflow-in-xmlBuildQName-c.patch | 44 +++++++++++++++++++
 install.py                                    |  3 +-
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch

diff --git a/BUILD.gn b/BUILD.gn
index f565730..35c79cf 100755
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -69,6 +69,7 @@ action("libxml2_install_action") {
     "Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch",
     "Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch",
     "Fix_XML_PARSE_NOBLANKS_dropping_non-whitespace_text.patch",
+    "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch",
   ]
 
   args = [
diff --git a/Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch b/Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch
new file mode 100644
index 0000000..13b59c8
--- /dev/null
+++ b/Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch
@@ -0,0 +1,44 @@
+From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety and might receive a CVE ID later.
+
+Fixes #926.
+---
+ tree.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 7454b07e6..e14bc62a0 100644
+--- a/tree.c
++++ b/tree.c
+@@ -168,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -182,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = xmlMalloc(lenn + lenp + 2);
+ 	if (ret == NULL)
+ 	    return(NULL);
+-- 
+GitLab
+
diff --git a/install.py b/install.py
index c77e441..d0769b0 100755
--- a/install.py
+++ b/install.py
@@ -50,7 +50,8 @@ def do_patch(args, target_dir):
     patch_file = [
         "Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch",
         "Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch",
-        "Fix_XML_PARSE_NOBLANKS_dropping_non-whitespace_text.patch"
+        "Fix_XML_PARSE_NOBLANKS_dropping_non-whitespace_text.patch",
+        "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch"
     ]
 
     for patch in patch_file:
-- 
Gitee