microsoft · azurelinux-security · May 22, 2026 · May 22, 2026
@@ -0,0 +1,101 @@
+From 98c9596bc60b9b0187ad7ad5e76cede788d8c346 Mon Sep 17 00:00:00 2001
+From: Toddr Bot <toddbot@rinaldo.us>
+Date: Fri, 8 May 2026 12:26:36 +0000
+Subject: [PATCH] fix: validate UTF-8 continuation bytes in domParseChar to
+ prevent OOB read
+
+domParseChar() read continuation bytes for multi-byte UTF-8 sequences
+without verifying they actually exist or are valid. A truncated sequence
+like "a\xF0" caused reads past the NUL terminator into uninitialized
+heap memory. The caller LibXML_test_node_name() then advanced its
+pointer by the (wrong) reported length, continuing to read from
+uncontrolled heap until hitting a zero byte or unmapped memory.
+
+Add validation that each continuation byte has the 10xxxxxx form
+before reading it, matching libxml2's own xmlCurrentChar() behavior.
+Invalid sequences now return 0 with *len = -1.
+
+Fixes #146
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch
+---
+ dom.c          | 18 ++++++++++++++++++
+ t/06elements.t | 10 +++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/dom.c b/dom.c
+index 10eb33d..4b0b7d1 100644
+--- a/dom.c
++++ b/dom.c
+@@ -292,6 +292,13 @@ domParseChar( xmlChar *cur, int *len )
+         if ((c & 0xe0) == 0xe0) {
+             if ((c & 0xf0) == 0xf0) {
+                 /* 4-byte code */
++                if ((cur[1] & 0xC0) != 0x80 ||
++                    (cur[2] & 0xC0) != 0x80 ||
++                    (cur[3] & 0xC0) != 0x80)
++                {
++                    *len = -1;
++                    return(0);
++                }
+                 *len = 4;
+                 val = (cur[0] & 0x7) << 18;
+                 val |= (cur[1] & 0x3f) << 12;
+@@ -299,6 +306,12 @@ domParseChar( xmlChar *cur, int *len )
+                 val |= cur[3] & 0x3f;
+             } else {
+                 /* 3-byte code */
++                if ((cur[1] & 0xC0) != 0x80 ||
++                    (cur[2] & 0xC0) != 0x80)
++                {
++                    *len = -1;
++                    return(0);
++                }
+                 *len = 3;
+                 val = (cur[0] & 0xf) << 12;
+                 val |= (cur[1] & 0x3f) << 6;
+@@ -306,6 +319,11 @@ domParseChar( xmlChar *cur, int *len )
+             }
+             } else {
+             /* 2-byte code */
++            if ((cur[1] & 0xC0) != 0x80)
++            {
++                *len = -1;
++                return(0);
++            }
+             *len = 2;
+             val = (cur[0] & 0x1f) << 6;
+             val |= cur[1] & 0x3f;
+diff --git a/t/06elements.t b/t/06elements.t
+index 6d68e10..547254d 100755
+--- a/t/06elements.t
++++ b/t/06elements.t
+@@ -8,7 +8,7 @@ use strict;
+ use warnings;
+
+ # Should be 187.
+-use Test::More tests => 191;
++use Test::More tests => 200;
+
+ use XML::LibXML;
+
+@@ -22,8 +22,12 @@ my $attname2  = "B";
+ my $attvalue2 = "b";
+ my $attname3  = "C";
+
+-# TEST:$badnames=4;
+-my @badnames= ("1A", "<><", "&", "-:");
++# TEST:$badnames=7;
++my @badnames= ("1A", "<><", "&", "-:",
++    "a\xF0",          # truncated 4-byte UTF-8
++    "a\xE0",          # truncated 3-byte UTF-8
++    "a\xC0",          # truncated 2-byte UTF-8
++);
+
+ # 1. bound node
+ {
+-- 
+2.45.4
+
@@ -8,7 +8,7 @@ Name:           perl-XML-LibXML
 # it might not be needed anymore
 # this module is maintained, the other is not
 Version:        2.0209
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Perl interface to the libxml2 library
 License:        (GPL+ or Artistic) and MIT
 URL:            https://metacpan.org/release/XML-LibXML
@@ -20,6 +20,7 @@ Source0:        https://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/XML-LibXML-%{v
 Patch0:         XML-LibXML-2.0202-Parse-an-ampersand-entity-in-SAX-interface.patch
 # To reduce dependencies replace Alien::Libxml2 with pkg-config
 Patch1:         XML-LibXML-2.0208-Use-pkgconfig-instead-of-Alien-Libxml2.patch
+Patch2:         CVE-2026-8177.patch
 BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  glibc-common
@@ -114,9 +115,7 @@ Tests from %{name}. Execute them
 with "%{_libexecdir}/%{name}/test".
 
 %prep
-%setup -q -n XML-LibXML-%{version}
-%patch 0 -p1
-%patch 1 -p1
+%autosetup -p1 -n XML-LibXML-%{version}
 chmod -x *.c
 for i in Changes; do
   /usr/bin/iconv -f iso8859-1 -t utf-8 $i > $i.conv && /bin/mv -f $i.conv $i
@@ -185,6 +184,9 @@ fi
 %{_libexecdir}/%{name}
 
 %changelog
+* Fri May 22 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0209-3
+- Patch for CVE-2026-8177
+
 * Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.0209-2
 - Add missing Vendor and Distribution tags.