Google Git
Sign in
fuchsia / third_party / libxml2 / refs/heads/upstream/2.12^! / .
commitd7657811964eac1cb9743bb98649278ad948f0d2[log] [tgz]
authorMaks Verver <maks@verver.ch>Tue Apr 08 13:13:55 2025 +0200
committerNick Wellnhofer <wellnhofer@aevum.de>Sun Apr 13 13:58:16 2025 +0200
tree3e893cf3aa8ef7906668495d9f2532066c332ee9
parent1e3fd2677a19e82e5af556653b6ad7176ccea89e [diff]
[CVE-2025-32414] python: Read at most len/4 characters.

Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.

diff --git a/python/libxml.c b/python/libxml.c
index 1fe8d68..2bf1407 100644
--- a/python/libxml.c
+++ b/python/libxml.c

@@ -248,7 +248,9 @@
 
     file = (PyObject *) context;
     if (file == NULL) return(-1);
-    ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len);
+    /* When read() returns a string, the length is in characters not bytes, so
+       request at most len / 4 characters to leave space for UTF-8 encoding. */
+    ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
     if (ret == NULL) {
 	printf("xmlPythonFileReadRaw: result is NULL\n");
 	return(-1);
@@ -283,10 +285,12 @@
 	Py_DECREF(ret);
 	return(-1);
     }
-    if (lenread > len)
-	memcpy(buffer, data, len);
-    else
-	memcpy(buffer, data, lenread);
+    if (lenread < 0 || lenread > len) {
+	printf("xmlPythonFileReadRaw: invalid lenread\n");
+	Py_DECREF(ret);
+	return(-1);
+    }
+    memcpy(buffer, data, lenread);
     Py_DECREF(ret);
     return(lenread);
 }
@@ -310,7 +314,9 @@
 
     file = (PyObject *) context;
     if (file == NULL) return(-1);
-    ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
+    /* When io_read() returns a string, the length is in characters not bytes, so
+       request at most len / 4 characters to leave space for UTF-8 encoding. */
+    ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
     if (ret == NULL) {
 	printf("xmlPythonFileRead: result is NULL\n");
 	return(-1);
@@ -345,10 +351,12 @@
 	Py_DECREF(ret);
 	return(-1);
     }
-    if (lenread > len)
-	memcpy(buffer, data, len);
-    else
-	memcpy(buffer, data, lenread);
+    if (lenread < 0 || lenread > len) {
+	printf("xmlPythonFileRead: invalid lenread\n");
+	Py_DECREF(ret);
+	return(-1);
+    }
+    memcpy(buffer, data, lenread);
     Py_DECREF(ret);
     return(lenread);
 }