From a9773c659253f6de52621051fb23d770e4b658e6 Mon Sep 17 00:00:00 2001
From: "Michael R. Crusoe" <crusoe@debian.org>
Date: Mon, 29 Apr 2024 16:12:11 +0200
Subject: [PATCH] Cherry-pick patch from upstream to fix CVE-2021-42521.
 Closes: #1031877.

---
 debian/changelog                       |  2 ++
 debian/patches/08_CVE-2021-42521.patch | 34 ++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 3 files changed, 37 insertions(+)
 create mode 100644 debian/patches/08_CVE-2021-42521.patch

diff --git a/debian/changelog b/debian/changelog
index ae85d2b31..a92bddabc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ vtk9 (9.1.0+really9.1.0+dfsg2-8) UNRELEASED; urgency=medium
     appended data. Closes: #1064762
   * d/control: build-dep on libhdf5-mpi-dev instead of libhdf5-openmpi-
     dev. Closes: #1068321
+  * Cherry-pick patch from upstream to fix CVE-2021-42521. Closes:
+    #1031877.
 
  -- Bo YU <tsu.yubo@gmail.com>  Tue, 24 Oct 2023 14:35:29 +0800
 
diff --git a/debian/patches/08_CVE-2021-42521.patch b/debian/patches/08_CVE-2021-42521.patch
new file mode 100644
index 000000000..752307d46
--- /dev/null
+++ b/debian/patches/08_CVE-2021-42521.patch
@@ -0,0 +1,34 @@
+From: Cory Quammen <cory.quammen@kitware.com>
+Date: Thu, 29 Sep 2022 13:10:00 -0400
+Subject: vtkXMLTreeReader: protect against possible nullptr dereference
+Origin: upstream,https://gitlab.kitware.com/vtk/vtk/-/commit/72119ea71422d2892f2a0475fc282835310f8d9e
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/1031877
+
+Vulnerability reported at
+https://nvd.nist.gov/vuln/detail/CVE-2021-42521.
+
+---
+ IO/Infovis/vtkXMLTreeReader.cxx | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/IO/Infovis/vtkXMLTreeReader.cxx b/IO/Infovis/vtkXMLTreeReader.cxx
+index 64abca37e96..af64572b27f 100644
+--- a/IO/Infovis/vtkXMLTreeReader.cxx
++++ b/IO/Infovis/vtkXMLTreeReader.cxx
+@@ -217,6 +217,12 @@ int vtkXMLTreeReader::RequestData(
+ 
+   // Get the root element node
+   xmlNode* rootElement = xmlDocGetRootElement(doc);
++  if (!rootElement)
++  {
++    vtkErrorMacro(<< "Could not get root element of document.");
++    return 0;
++  }
++
+   vtkXMLTreeReaderProcessElement(builder, -1, rootElement, this->ReadCharData, this->MaskArrays);
+ 
+   xmlFreeDoc(doc);
+-- 
+GitLab
+
diff --git a/debian/patches/series b/debian/patches/series
index 38351cd2a..bffbb6ef4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+08_CVE-2021-42521.patch
 09_newer_expat.patch
 gcc-13.patch
 10_matplotlib.patch
-- 
2.30.2