mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2025-10-23 01:52:48 +03:00
[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
Fixes #847.
This commit is contained in:
Nick Wellnhofer
16
valid.c
16
valid.c
@@ -4997,26 +4997,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
switch (cur->type) {
|
switch (cur->type) {
|
||||||
case XML_ELEMENT_NODE:
|
case XML_ELEMENT_NODE: {
|
||||||
if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
|
int qnameLen = xmlStrlen(cur->name);
|
||||||
if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
|
|
||||||
|
if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
|
||||||
|
qnameLen += xmlStrlen(cur->ns->prefix) + 1;
|
||||||
|
if (size - len < qnameLen + 10) {
|
||||||
if ((size - len > 4) && (buf[len - 1] != '.'))
|
if ((size - len > 4) && (buf[len - 1] != '.'))
|
||||||
strcat(buf, " ...");
|
strcat(buf, " ...");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
|
||||||
strcat(buf, (char *) cur->ns->prefix);
|
strcat(buf, (char *) cur->ns->prefix);
|
||||||
strcat(buf, ":");
|
strcat(buf, ":");
|
||||||
}
|
}
|
||||||
if (size - len < xmlStrlen(cur->name) + 10) {
|
|
||||||
if ((size - len > 4) && (buf[len - 1] != '.'))
|
|
||||||
strcat(buf, " ...");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if (cur->name != NULL)
|
if (cur->name != NULL)
|
||||||
strcat(buf, (char *) cur->name);
|
strcat(buf, (char *) cur->name);
|
||||||
if (cur->next != NULL)
|
if (cur->next != NULL)
|
||||||
strcat(buf, " ");
|
strcat(buf, " ");
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
case XML_TEXT_NODE:
|
case XML_TEXT_NODE:
|
||||||
if (xmlIsBlankNode(cur))
|
if (xmlIsBlankNode(cur))
|
||||||
break;
|
break;
|
||||||
|
|||||||
Reference in New Issue
Block a user