Submitted By:            Douglas R. Reno <renodr at linuxfromscratch dot org>
Date:                    2025-06-21
Initial Package Version: 2.13.8
Upstream Status:         Applied
Origin:                  Upstream commit ad346c9a
Description              Fixes CVE-2025-6021, an integer overflow leading to a
                         buffer overflow in the xmlBuildQName() function. Most
                         applications in BLFS are not impacted, but some are -
                         notably PHP, and WINE in Zeckma's GLFS book. A minor
                         modification was added to include <stdint.h> so that
                         SIZE_MAX was defined.

diff -Naurp libxml2-2.13.8.orig/tree.c libxml2-2.13.8/tree.c
--- libxml2-2.13.8.orig/tree.c	2025-06-21 22:33:08.968118057 -0500
+++ libxml2-2.13.8/tree.c	2025-06-21 22:37:17.362709589 -0500
@@ -23,6 +23,7 @@
 #include <limits.h>
 #include <ctype.h>
 #include <stdlib.h>
+#include <stdint.h>
 
 #ifdef LIBXML_ZLIB_ENABLED
 #include <zlib.h>
@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDt
 xmlChar *
 xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
 	      xmlChar *memory, int len) {
-    int lenn, lenp;
+    size_t lenn, lenp;
     xmlChar *ret;
 
-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
     if (prefix == NULL) return((xmlChar *) ncname);
 
 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
@@ -181,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, con
 
     lenn = strlen((char *) ncname);
     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+       return(NULL);
 
-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
 	if (ret == NULL)
 	    return(NULL);