File fix-CVE-2025-47911.patch of Package distrobuilder
diff -rubN vendor/golang.org/x/net/html/escape.go vendor-patched/golang.org/x/net/html/escape.go
--- a/vendor/golang.org/x/net/html/escape.go 2025-06-06 12:16:37.000000000 +0200
+++ b/vendor-patched/golang.org/x/net/html/escape.go 2025-10-09 10:38:44.325052734 +0200
@@ -299,7 +299,7 @@
case '\r':
esc = " "
default:
- panic("unrecognized escape character")
+ panic("html: unrecognized escape character")
}
s = s[i+1:]
if _, err := w.WriteString(esc); err != nil {
diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go
--- a/vendor/golang.org/x/net/html/parse.go 2025-10-09 10:39:56.705570069 +0200
+++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:38:59.062361676 +0200
@@ -231,7 +231,14 @@
}
if n.Type == ElementNode {
+ p.insertOpenElement(n)
+ }
+}
+
+func (p *parser) insertOpenElement(n *Node) {
p.oe = append(p.oe, n)
+ if len(p.oe) > 512 {
+ panic("html: open stack of elements exceeds 512 nodes")
}
}
@@ -810,7 +817,7 @@
p.im = inFramesetIM
return true
case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
- p.oe = append(p.oe, p.head)
+ p.insertOpenElement(p.head)
defer p.oe.remove(p.head)
return inHeadIM(p)
case a.Head:
@@ -2324,9 +2331,13 @@
}
}
-func (p *parser) parse() error {
+func (p *parser) parse() (err error) {
+ defer func() {
+ if panicErr := recover(); panicErr != nil {
+ err = fmt.Errorf("%s", panicErr)
+ }
+ }()
// Iterate until EOF. Any other error will cause an early return.
- var err error
for err != io.EOF {
// CDATA sections are allowed only in foreign content.
n := p.oe.top()
@@ -2355,6 +2366,8 @@
// <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
// with no corresponding node in the resulting tree.
//
+// Parse will reject HTML that is nested deeper than 512 elements.
+//
// The input is assumed to be UTF-8 encoded.
func Parse(r io.Reader) (*Node, error) {
return ParseWithOptions(r)
