File libxml2-CVE-2025-32414.patch of Package libxml2.38388
Index: libxml2-2.9.7/python/libxml.c
===================================================================
--- libxml2-2.9.7.orig/python/libxml.c
+++ libxml2-2.9.7/python/libxml.c
@@ -286,7 +286,9 @@ xmlPythonFileReadRaw (void * context, ch
#endif
file = (PyObject *) context;
if (file == NULL) return(-1);
- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len);
+ /* When read() returns a string, the length is in characters not bytes, so
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
+ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
if (ret == NULL) {
printf("xmlPythonFileReadRaw: result is NULL\n");
return(-1);
@@ -321,10 +323,12 @@ xmlPythonFileReadRaw (void * context, ch
Py_DECREF(ret);
return(-1);
}
- if (lenread > len)
- memcpy(buffer, data, len);
- else
- memcpy(buffer, data, lenread);
+ if (lenread < 0 || lenread > len) {
+ printf("xmlPythonFileReadRaw: invalid lenread\n");
+ Py_DECREF(ret);
+ return(-1);
+ }
+ memcpy(buffer, data, lenread);
Py_DECREF(ret);
return(lenread);
}
@@ -351,7 +355,9 @@ xmlPythonFileRead (void * context, char
#endif
file = (PyObject *) context;
if (file == NULL) return(-1);
- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
+ /* When io_read() returns a string, the length is in characters not bytes, so
+ request at most len / 4 characters to leave space for UTF-8 encoding. */
+ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
if (ret == NULL) {
printf("xmlPythonFileRead: result is NULL\n");
return(-1);
@@ -386,10 +392,12 @@ xmlPythonFileRead (void * context, char
Py_DECREF(ret);
return(-1);
}
- if (lenread > len)
- memcpy(buffer, data, len);
- else
- memcpy(buffer, data, lenread);
+ if (lenread < 0 || lenread > len) {
+ printf("xmlPythonFileRead: invalid lenread\n");
+ Py_DECREF(ret);
+ return(-1);
+ }
+ memcpy(buffer, data, lenread);
Py_DECREF(ret);
return(lenread);
}
