From d3850b1f934acb0d0079d12c6443a4fbb0890552 Mon Sep 17 00:00:00 2001
From: limin <limin191@huawei.com>
Date: Thu, 17 Jul 2025 09:52:56 +0800
Subject: [PATCH] =?UTF-8?q?libxml2=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9ECVE-?=
 =?UTF-8?q?2025-6170=E8=A1=A5=E4=B8=81=E5=9B=9E=E5=90=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: limin <limin191@huawei.com>
---
 ...buffer-overflow-of-interactive-shell.patch | 47 +++++++++++++++++++
 install.py                                    |  3 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch

diff --git a/Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch b/Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch
new file mode 100644
index 0000000..1689104
--- /dev/null
+++ b/Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch
@@ -0,0 +1,47 @@
+diff --git a/debugXML.c b/debugXML.c
+index 7a2ca47..8e0ceb5 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -35,6 +35,9 @@
+ #endif
+ 
+ #define DUMP_TEXT_TYPE 1
++#define MAX_PROMPT_SIZE     500
++#define MAX_ARG_SIZE        400
++#define MAX_COMMAND_SIZE    100
+ 
+ typedef struct _xmlDebugCtxt xmlDebugCtxt;
+ typedef xmlDebugCtxt *xmlDebugCtxtPtr;
+@@ -2802,10 +2805,10 @@ void
+ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
++    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
++    char command[MAX_COMMAND_SIZE];
++    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2863,7 +2866,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
++               (*cur != '\n') && (*cur != '\r') &&
++               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2878,7 +2882,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
diff --git a/install.py b/install.py
index 53728ef..b74ec18 100755
--- a/install.py
+++ b/install.py
@@ -237,7 +237,8 @@ def do_patch(args, target_dir):
         "Fix-CVE-2019-19956.patch",
         "Fix-CVE-2025-32414.patch",
         "Fix-CVE-2025-32415.patch",
-        "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch"
+        "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch",
+        "Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch"
     ]
 
     for patch in patch_file:
-- 
Gitee