From e1f8bbbf5fc808a81435456e9e5b9618ef4b5955 Mon Sep 17 00:00:00 2001 From: limin Date: Tue, 24 Jun 2025 10:25:52 +0800 Subject: [PATCH] Fix relaxng is parsed to an infinite attrs->next loop Signed-off-by: limin --- ...arsed-to-an-infinite-attrs-next-loop.patch | 84 +++++++++++++++++++ install.py | 3 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch diff --git a/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch b/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch new file mode 100644 index 0000000..4bb9798 --- /dev/null +++ b/Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch @@ -0,0 +1,84 @@ +From 6d71ed443d0b4ab1a3e9e43c6c2f1c2c3dc127cd Mon Sep 17 00:00:00 2001 +From: l30034438 +Date: Thu, 19 Jun 2025 11:11:08 +0800 +Subject: [PATCH] Fix relaxng is parsed to an infinite attrs->next loop + +Change-Id: I2b7b37c628b20bd234b84d8938d241dd722af087 +--- + relaxng.c | 13 ++++++++++--- + test/relaxng/useless_group.rng | 21 +++++++++++++++++++++ + test/relaxng/useless_group.xml | 3 +++ + 3 files changed, 34 insertions(+), 3 deletions(-) + create mode 100644 test/relaxng/useless_group.rng + create mode 100644 test/relaxng/useless_group.xml + +diff --git a/relaxng.c b/relaxng.c +index c223dbb9..5ba76699 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -6018,6 +6018,7 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if (attronly == 1) { + /* + * migrate tmp to attrs ++ * if this runs twice an infinite attrs->next loop can be created + */ + pre->next = tmp->next; + tmp->next = cur->attrs; +@@ -6038,9 +6039,15 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if ((parent == NULL) && (prev == NULL)) { + cur->type = XML_RELAXNG_NOOP; + } else if (prev == NULL) { +- parent->content = cur->content; +- cur->content->next = cur->next; +- cur = cur->content; ++ /* ++ * this simplification may already have happened ++ * if this is done twice this leads to an infinite loop of attrs->next ++ */ ++ if (parent->content != cur->content) { ++ parent->content = cur->content; ++ cur->content->next = cur->next; ++ cur = cur->content; ++ } + } else { + cur->content->next = cur->next; + prev->next = cur->content; +diff --git a/test/relaxng/useless_group.rng b/test/relaxng/useless_group.rng +new file mode 100644 +index 00000000..f295a100 +--- /dev/null ++++ b/test/relaxng/useless_group.rng +@@ -0,0 +1,21 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/relaxng/useless_group.xml b/test/relaxng/useless_group.xml +new file mode 100644 +index 00000000..7806bd48 +--- /dev/null ++++ b/test/relaxng/useless_group.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +-- +2.34.1 + diff --git a/install.py b/install.py index 53728ef..bbc05b6 100755 --- a/install.py +++ b/install.py @@ -237,7 +237,8 @@ def do_patch(args, target_dir): "Fix-CVE-2019-19956.patch", "Fix-CVE-2025-32414.patch", "Fix-CVE-2025-32415.patch", - "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch" + "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch", + "Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch" ] for patch in patch_file: -- Gitee