From 4294643b75fcddcf31727f1b69ac8364bd47fad5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= <gutyina.gergo.2@gmail.com>
Date: Thu, 17 Jul 2025 09:59:21 +0200
Subject: [PATCH 1/4] libxml2: add patch for CVE-2025-6021

(cherry picked from commit 348be18ac4b40caa531048d977df7d54b4ea9d14)
---
 .../libraries/libxml2/CVE-2025-6021.patch     | 40 +++++++++++++++++++
 .../development/libraries/libxml2/default.nix |  3 ++
 2 files changed, 43 insertions(+)
 create mode 100644 pkgs/development/libraries/libxml2/CVE-2025-6021.patch

diff --git a/pkgs/development/libraries/libxml2/CVE-2025-6021.patch b/pkgs/development/libraries/libxml2/CVE-2025-6021.patch
new file mode 100644
index 000000000000..d13d80fb7522
--- /dev/null
+++ b/pkgs/development/libraries/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,40 @@
+diff --git a/tree.c b/tree.c
+index f097cf87..4d966ec9 100644
+--- a/tree.c
++++ b/tree.c
+@@ -47,6 +47,10 @@
+ #include "private/error.h"
+ #include "private/tree.h"
+
++#ifndef SIZE_MAX
++  #define SIZE_MAX ((size_t) -1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+
+ /************************************************************************
+@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -181,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL)
+ 	    return(NULL);
diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index 9c93590323c7..b10a500ba45c 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -58,6 +58,9 @@ stdenv.mkDerivation (finalAttrs: {
     # See also https://gitlab.gnome.org/GNOME/libxml2/-/issues/906
     # Source: https://github.com/chromium/chromium/blob/4fb4ae8ce3daa399c3d8ca67f2dfb9deffcc7007/third_party/libxml/chromium/xml-attr-extra.patch
     ./xml-attr-extra.patch
+    # same as upstream patch but fixed conflict and added required import:
+    # https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0.diff
+    ./CVE-2025-6021.patch
   ];
 
   strictDeps = true;

From acbf60a2bcac9bda1c3d04dedf100f455972a2d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= <gutyina.gergo.2@gmail.com>
Date: Thu, 17 Jul 2025 00:38:14 +0200
Subject: [PATCH 2/4] libxml2: add patch for CVE-2025-49794 and CVE-2025-49796

(cherry picked from commit 5b7873647225dbb427157933eb8e04485fb5144c)
---
 pkgs/development/libraries/libxml2/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index b10a500ba45c..d437e02aaceb 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -2,6 +2,7 @@
   stdenv,
   lib,
   fetchurl,
+  fetchpatch2,
   pkg-config,
   autoreconfHook,
   libintl,
@@ -61,6 +62,11 @@ stdenv.mkDerivation (finalAttrs: {
     # same as upstream patch but fixed conflict and added required import:
     # https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0.diff
     ./CVE-2025-6021.patch
+    (fetchpatch2 {
+      name = "CVE-2025-49794-49796.patch";
+      url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/f7ebc65f05bffded58d1e1b2138eb124c2e44f21.patch";
+      hash = "sha256-k+IGq6pbv9EA7o+uDocEAUqIammEjLj27Z+2RF5EMrs=";
+    })
   ];
 
   strictDeps = true;

From d0082400bed98daf1a1e9aea6cf1243680271c65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= <gutyina.gergo.2@gmail.com>
Date: Thu, 17 Jul 2025 00:40:46 +0200
Subject: [PATCH 3/4] libxml2: add patch for CVE-2025-49795

(cherry picked from commit 5d3c18107abdac1354a12ec09a8e862c9c631553)
---
 pkgs/development/libraries/libxml2/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index d437e02aaceb..531791f579d0 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -67,6 +67,12 @@ stdenv.mkDerivation (finalAttrs: {
       url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/f7ebc65f05bffded58d1e1b2138eb124c2e44f21.patch";
       hash = "sha256-k+IGq6pbv9EA7o+uDocEAUqIammEjLj27Z+2RF5EMrs=";
     })
+    (fetchpatch2 {
+      name = "CVE-2025-49795.patch";
+      url = "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c24909ba2601848825b49a60f988222da3019667.patch";
+      hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
+      excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
+    })
   ];
 
   strictDeps = true;

From 47bb459c41f79ca4907fdc7470328f7abff6b442 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= <gutyina.gergo.2@gmail.com>
Date: Thu, 17 Jul 2025 09:41:47 +0200
Subject: [PATCH 4/4] libxml2: add patch for CVE-2025-6170

(cherry picked from commit 2da008e2ee4eda08380f6341db237ec6fef950ad)
---
 .../libraries/libxml2/CVE-2025-6170.patch     | 112 ++++++++++++++++++
 .../development/libraries/libxml2/default.nix |   3 +
 2 files changed, 115 insertions(+)
 create mode 100644 pkgs/development/libraries/libxml2/CVE-2025-6170.patch

diff --git a/pkgs/development/libraries/libxml2/CVE-2025-6170.patch b/pkgs/development/libraries/libxml2/CVE-2025-6170.patch
new file mode 100644
index 000000000000..b66f24e305e0
--- /dev/null
+++ b/pkgs/development/libraries/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,112 @@
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 000000000..e6f00708b
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1  ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b > 
+\ No newline at end of file
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..aeeea3c0 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -2780,6 +2780,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
+     return (0);
+ }
+ 
++#define MAX_PROMPT_SIZE     500
++#define MAX_ARG_SIZE        400
++#define MAX_COMMAND_SIZE    100
++
+ /**
+  * xmlShell:
+  * @doc:  the initial document
+@@ -2795,10 +2795,10 @@ void
+ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
++    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
++    char command[MAX_COMMAND_SIZE];
++    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2856,7 +2856,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
++               (*cur != '\n') && (*cur != '\r') &&
++               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2871,7 +2872,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/xmllint.c b/xmllint.c
+index c6273477..3d90272c 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -724,6 +724,9 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
+  ************************************************************************/
+ #ifdef LIBXML_DEBUG_ENABLED
+ #ifdef LIBXML_XPATH_ENABLED
++
++#define MAX_PROMPT_SIZE     500
++
+ /**
+  * xmlShellReadline:
+  * @prompt:  the prompt value
+@@ -754,9 +754,9 @@ xmlShellReadline(char *prompt) {
+     if (prompt != NULL)
+ 	fprintf(stdout, "%s", prompt);
+     fflush(stdout);
+-    if (!fgets(line_read, 500, stdin))
++    if (!fgets(line_read, MAX_PROMPT_SIZE, stdin))
+         return(NULL);
+-    line_read[500] = 0;
++    line_read[MAX_PROMPT_SIZE] = 0;
+     len = strlen(line_read);
+     ret = (char *) malloc(len + 1);
+     if (ret != NULL) {
+-- 
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 000000000..00f6df09f
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 000000000..1ba44016e
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
+-- 
+GitLab
+
diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index 531791f579d0..a5bcfef0823b 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -73,6 +73,9 @@ stdenv.mkDerivation (finalAttrs: {
       hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
       excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
     })
+    # same as upstream, fixed conflicts
+    # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434
+    ./CVE-2025-6170.patch
   ];
 
   strictDeps = true;