From 21e416595bfaf341e01e60a6c72a930783d9dd10 Mon Sep 17 00:00:00 2001 From: limin Date: Thu, 19 Jun 2025 15:18:28 +0800 Subject: [PATCH 1/2] =?UTF-8?q?libxml2=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?=E8=A1=A5=E4=B8=81=E5=9B=9E=E5=90=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: limin --- BUILD.gn | 1 + ...arsed-to-an-infinite-attrs-next-loop.patch | 84 +++++++++++++++++++ install.py | 3 +- 3 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch diff --git a/BUILD.gn b/BUILD.gn index 35c79cf..64e702a 100755 --- a/BUILD.gn +++ b/BUILD.gn @@ -70,6 +70,7 @@ action("libxml2_install_action") { "Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch", "Fix_XML_PARSE_NOBLANKS_dropping_non-whitespace_text.patch", "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch", + "Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch", ] args = [ diff --git a/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch b/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch new file mode 100644 index 0000000..73c97e2 --- /dev/null +++ b/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch @@ -0,0 +1,84 @@ +From 6d71ed443d0b4ab1a3e9e43c6c2f1c2c3dc127cd Mon Sep 17 00:00:00 2001 +From: l30034438 +Date: Thu, 19 Jun 2025 11:11:08 +0800 +Subject: [PATCH] Fix relaxng is parsed to an infinite attrs->next loop + +Change-Id: I2b7b37c628b20bd234b84d8938d241dd722af087 +--- + relaxng.c | 13 ++++++++++--- + test/relaxng/useless_group.rng | 21 +++++++++++++++++++++ + test/relaxng/useless_group.xml | 3 +++ + 3 files changed, 34 insertions(+), 3 deletions(-) + create mode 100644 test/relaxng/useless_group.rng + create mode 100644 test/relaxng/useless_group.xml + +diff --git a/relaxng.c b/relaxng.c +index c223dbb9..5ba76699 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -6018,6 +6018,7 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if (attronly == 1) { + /* + * migrate tmp to attrs ++ * if this runs twice an infinite attrs->next loop can be created + */ + pre->next = tmp->next; + tmp->next = cur->attrs; +@@ -6038,9 +6038,15 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if ((parent == NULL) && (prev == NULL)) { + cur->type = XML_RELAXNG_NOOP; + } else if (prev == NULL) { +- parent->content = cur->content; +- cur->content->next = cur->next; +- cur = cur->content; ++ /* ++ * this simplification may already have happened ++ * if this is done twice this leads to an infinite loop of attrs->next ++ */ ++ if (parent->content != cur->content) { ++ parent->content = cur->content; ++ cur->content->next = cur->next; ++ cur = cur->content; ++ } + } else { + cur->content->next = cur->next; + prev->next = cur->content; +diff --git a/test/relaxng/useless_group.rng b/test/relaxng/useless_group.rng +new file mode 100644 +index 00000000..f295a100 +--- /dev/null ++++ b/test/relaxng/useless_group.rng +@@ -0,0 +1,21 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/relaxng/useless_group.xml b/test/relaxng/useless_group.xml +new file mode 100644 +index 00000000..7806bd48 +--- /dev/null ++++ b/test/relaxng/useless_group.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +-- +2.34.1 + diff --git a/install.py b/install.py index d0769b0..998a2bb 100755 --- a/install.py +++ b/install.py @@ -51,7 +51,8 @@ def do_patch(args, target_dir): "Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch", "Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch", "Fix_XML_PARSE_NOBLANKS_dropping_non-whitespace_text.patch", - "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch" + "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch", + "Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch" ] for patch in patch_file: -- Gitee From 02a36d130f3e7a41fd288d82c7dd04526848565c Mon Sep 17 00:00:00 2001 From: limin Date: Thu, 19 Jun 2025 07:31:50 +0000 Subject: [PATCH 2/2] update Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch. Signed-off-by: limin --- Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch b/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch index 73c97e2..4bb9798 100644 --- a/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch +++ b/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch @@ -24,7 +24,7 @@ index c223dbb9..5ba76699 100644 */ pre->next = tmp->next; tmp->next = cur->attrs; -@@ -6038,9 +6038,15 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, +@@ -6038,9 +6039,15 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, if ((parent == NULL) && (prev == NULL)) { cur->type = XML_RELAXNG_NOOP; } else if (prev == NULL) { -- Gitee