From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001 From: Michael Mann Date: Fri, 20 Jun 2025 23:05:00 -0400 Subject: [PATCH] [CVE-2025-6170] Fix potential buffer overflows of interactive shell Fixes #941 --- debugXML.c | 15 ++++++++++----- result/scripts/long_command | 8 ++++++++ test/scripts/long_command.script | 6 ++++++ test/scripts/long_command.xml | 1 + 4 files changed, 25 insertions(+), 5 deletions(-) create mode 100644 result/scripts/long_command create mode 100644 test/scripts/long_command.script create mode 100644 test/scripts/long_command.xml diff --git a/debugXML.c b/debugXML.c index ed56b0f882..452b9573d8 100644 --- a/debugXML.c +++ b/debugXML.c @@ -1033,6 +1033,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node) xmlCtxtGenericNodeCheck(ctxt, node); } +#define MAX_PROMPT_SIZE 500 +#define MAX_ARG_SIZE 400 +#define MAX_COMMAND_SIZE 100 + /** * xmlCtxtDumpNode: * @output: the FILE * for the output @@ -2795,10 +2799,10 @@ void xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input, FILE * output) { - char prompt[500] = "/ > "; + char prompt[MAX_PROMPT_SIZE] = "/ > "; char *cmdline = NULL, *cur; - char command[100]; - char arg[400]; + char command[MAX_COMMAND_SIZE]; + char arg[MAX_ARG_SIZE]; int i; xmlShellCtxtPtr ctxt; xmlXPathObjectPtr list; @@ -2856,7 +2860,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input, cur++; i = 0; while ((*cur != ' ') && (*cur != '\t') && - (*cur != '\n') && (*cur != '\r')) { + (*cur != '\n') && (*cur != '\r') && + (i < (MAX_COMMAND_SIZE - 1))) { if (*cur == 0) break; command[i++] = *cur++; @@ -2871,7 +2876,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input, while ((*cur == ' ') || (*cur == '\t')) cur++; i = 0; - while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { + while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { if (*cur == 0) break; arg[i++] = *cur++; diff --git a/result/scripts/long_command b/result/scripts/long_command new file mode 100644 index 0000000000..e6f00708ba --- /dev/null +++ b/result/scripts/long_command @@ -0,0 +1,8 @@ +/ > b > b > Object is a Node Set : +Set contains 1 nodes: +1 ELEMENT a:c +b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm +b > b > Unknown command ess_currents_of_time_and_existence +b > +Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof +b > \ No newline at end of file diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script new file mode 100644 index 0000000000..00f6df09f9 --- /dev/null +++ b/test/scripts/long_command.script @@ -0,0 +1,6 @@ +cd a/b +set +xpath //*[namespace-uri()="foo"] +This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo +set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence +save - diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml new file mode 100644 index 0000000000..1ba44016e1 --- /dev/null +++ b/test/scripts/long_command.xml @@ -0,0 +1 @@ +