Overview

File libxml2-CVE-2025-9714-3.patch of Package libxml2.41581

From 2d97a97aa515f1bd3efc35c8ea2aa68676c6f8e1 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 15 Mar 2019 16:27:58 +0100
Subject: [PATCH] Optional recursion limit when parsing XPath expressions

Useful to avoid call stack overflows when fuzzing. Note that parsing a
parenthesized expression currently consumes more than 10 stack frames,
so this limit should be set rather low.
---
 include/libxml/xpath.h |  1 +
 xpath.c                | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

Index: libxml2-2.9.4/include/libxml/xpath.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/xpath.h
+++ libxml2-2.9.4/include/libxml/xpath.h
@@ -360,6 +360,7 @@ struct _xmlXPathContext {
     unsigned long opCount;
     int depth;
     int maxDepth;
+    int maxParserDepth;
 };
 
 /*
Index: libxml2-2.9.4/xpath.c
===================================================================
--- libxml2-2.9.4.orig/xpath.c
+++ libxml2-2.9.4/xpath.c
@@ -6185,6 +6185,7 @@ xmlXPathNewContext(xmlDocPtr doc) {
     ret->proximityPosition = -1;
 
     ret->maxDepth = INT_MAX;
+    ret->maxParserDepth = INT_MAX;
 
 #ifdef XP_DEFAULT_CACHE_ON
     if (xmlXPathContextSetCache(ret, 1, -1, 0) == -1) {
@@ -11073,6 +11074,14 @@ xmlXPathCompAndExpr(xmlXPathParserContex
  */
 static void
 xmlXPathCompileExpr(xmlXPathParserContextPtr ctxt, int sort) {
+    xmlXPathContextPtr xpctxt = ctxt->context;
+
+    if (xpctxt != NULL) {
+        if (xpctxt->depth >= xpctxt->maxParserDepth)
+            XP_ERROR(XPATH_RECURSION_LIMIT_EXCEEDED);
+        xpctxt->depth += 1;
+    }
+
     xmlXPathCompAndExpr(ctxt);
     CHECK_ERROR;
     SKIP_BLANKS;
@@ -11094,6 +11103,9 @@ xmlXPathCompileExpr(xmlXPathParserContex
 	*/
 	PUSH_UNARY_EXPR(XPATH_OP_SORT, ctxt->comp->last , 0, 0);
     }
+
+    if (xpctxt != NULL)
+        xpctxt->depth -= 1;
 }
 
 /**
@@ -14962,6 +14974,8 @@ xmlXPathCtxtCompile(xmlXPathContextPtr c
     pctxt = xmlXPathNewParserContext(str, ctxt);
     if (pctxt == NULL)
         return NULL;
+    if (ctxt != NULL)
+        ctxt->depth = 0;
     xmlXPathCompileExpr(pctxt, 1);
 
     if( pctxt->error != XPATH_EXPRESSION_OK )
@@ -15168,6 +15182,8 @@ xmlXPathEvalExpr(xmlXPathParserContextPt
     } else
 #endif
     {
+        if (ctxt->context != NULL)
+            ctxt->context->depth = 0;
 	xmlXPathCompileExpr(ctxt, 1);
 	if ((ctxt->error == XPATH_EXPRESSION_OK) &&
 	    (ctxt->comp != NULL) &&
openSUSE Build Service is sponsored by
Places