libxml2: CVE-2017-9049 and CVE-2017-9050

References: CVE-2017-9049: Heap-based buffer over-read in function xmlDictComputeFastKey http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 CVE-2017-9050: Heap-based buffer over-read in function xmlDictAddString http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-08-21 08:43:03 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-08-21 10:55:46 +0200
commit: a60bc47b963ee456ce140cabb1e15a1275a2f67d (patch)
tree: 20b6414beec6ef68eb0e990de0d8a0eb04c059b7
parent: f2a56c19b6190bf41bd608efdf8dd573fa9fd616 (diff)
download: meta-el-common-a60bc47b963ee456ce140cabb1e15a1275a2f67d.tar.gz
2 files changed, 322 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch b/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch
new file mode 100644
index 0000000..c9ad71d
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch
@@ -0,0 +1,321 @@
+From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+Percent sign in DTD Names
+=========================
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+The percent sign is not allowed in names, which are grammatical tokens.
+- xmlParseEntityValue
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+- xmlParseSystemLiteral
+Parameter-entity references are ignored in the system literal.
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+Parameter-entity references are ignored outside the DTD.
+- xmlLoadEntityContent
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+This bug could also be triggered with an internal subset and double
+entity expansion.
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+Additional hardening
+====================
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+CVE: CVE-2017-9049 CVE-2017-9050
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ Makefile.am                     | 18 ++++++++++++++++++
+ parser.c                        | 18 ++++++++++--------
+ result/errors10/781205.xml      |  0
+ result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
+ result/errors10/781361.xml      |  0
+ result/errors10/781361.xml.err  | 13 +++++++++++++
+ result/valid/766956.xml         |  0
+ result/valid/766956.xml.err     |  9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c                       |  3 +++
+ test/errors10/781205.xml        |  3 +++
+ test/errors10/781361.xml        |  3 +++
+ test/valid/766956.xml           |  2 ++
+ test/valid/dtds/766956.dtd      |  2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+diff --git a/Makefile.am b/Makefile.am
+index 6fc8ffa..10e716a 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
+              if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+              rm result.$$name error.$$name ; \
+          fi ; fi ; done)
+       @echo "## Error cases regression tests (old 1.0)"
+       -@(for i in $(srcdir)/test/errors10/*.xml ; do \
+         name=`basename $$i`; \
+         if [ ! -d $$i ] ; then \
+         if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
+             echo New test file $$name ; \
+             $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
+                2> $(srcdir)/result/errors10/$$name.err \
+                > $(srcdir)/result/errors10/$$name ; \
+             grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
+         else \
+             log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
+             grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
+             diff $(srcdir)/result/errors10/$$name result.$$name ; \
+             diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
+             if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+             rm result.$$name error.$$name ; \
+         fi ; fi ; done)
+        @echo "## Error cases stream regression tests"
+        -@(for i in $(srcdir)/test/errors/*.xml ; do \
+          name=`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index df2efa5..a175ac4 100644
+--- a/parser.c
+++ b/parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+        ctxt->input->line++; ctxt->input->col = 1;                      \
+     } else ctxt->input->col++;                                         \
+     ctxt->input->cur += l;                             \
+-    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);    \
+   } while (0)
+ 
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+            len += l;
+            NEXTL(l);
+            c = CUR_CHAR(l);
+-           if (c == 0) {
+-               count = 0;
+-               GROW;
+-                if (ctxt->instate == XML_PARSER_EOF)
+-                    return(NULL);
+-               c = CUR_CHAR(l);
+-           }
+        }
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
+    if (ctxt->input->cur - ctxt->input->base < len) {
+        /*
+         * There were a couple of bugs where PERefs lead to to a change
+         * of the buffer. Check the buffer size to avoid passing an invalid
+         * pointer to xmlDictLookup.
+         */
+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+                    "unexpected change of input buffer");
+        return (NULL);
+    }
+     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 0000000..da15c3f
+--- /dev/null
+++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+ %a; 
+    ^
+Entity: line 1: 
+<:0000
+^
+Entity: line 1: parser error : DOCTYPE improperly terminated
+ %a; 
+    ^
+Entity: line 1: 
+<:0000
+^
+namespace error : Failed to parse QName ':0000'
+ %a; 
+    ^
+<:0000
+      ^
+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
+
+^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 0000000..655f41a
+--- /dev/null
+++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
+
+^
+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+
+^
+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
+
+^
+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
+
+^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 0000000..34b1dae
+--- /dev/null
+++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
+%ä%ent;
+   ^
+Entity: line 1: parser error : Content error in the external subset
+ %ent; 
+      ^
+Entity: line 1: 
+value
+^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 0000000..7760346
+--- /dev/null
+++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
+%ä%ent;
+   ^
+Entity: line 1: parser error : Content error in the external subset
+ %ent; 
+      ^
+Entity: line 1: 
+value
+^
+./test/valid/766956.xml : failed to parse
+diff --git a/runtest.c b/runtest.c
+index b2ce693..378b38e 100644
+--- a/runtest.c
+++ b/runtest.c
+@@ -4214,6 +4214,9 @@ testDesc testDescriptions[] = {
+     { "Error cases regression tests",
+       errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
+       0 },
+    { "Error cases regression tests (old 1.0)",
+      errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
+      XML_PARSE_OLD10 },
+ #ifdef LIBXML_READER_ENABLED
+     { "Error cases stream regression tests",
+       streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 0000000..d9e9e83
+--- /dev/null
+++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
+<!DOCTYPE D [
+  <!ENTITY % a "<:0000">
+  %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 0000000..67476bc
+--- /dev/null
+++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
+<!DOCTYPE doc [
+  <!ENTITY % elem "<!ELEMENT e0000000000">
+  %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 0000000..19a95a0
+--- /dev/null
+++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
+<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 0000000..dddde68
+--- /dev/null
+++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
+<!ENTITY % ent "value">
+%ä%ent;
+-- 
+1.9.1
diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend
index e022135..c6e5705 100644
--- a/recipes-core/libxml/libxml2_%.bbappend
+++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -3,5 +3,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2017-5969.patch \
            file://CVE-2017-9047_CVE-2017-9048.patch \
+            file://CVE-2017-9049_CVE-2017-9050.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-08-21 08:43:03 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-08-21 10:55:46 +0200
commit	a60bc47b963ee456ce140cabb1e15a1275a2f67d (patch)
tree	20b6414beec6ef68eb0e990de0d8a0eb04c059b7
parent	f2a56c19b6190bf41bd608efdf8dd573fa9fd616 (diff)
download	meta-el-common-a60bc47b963ee456ce140cabb1e15a1275a2f67d.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch b/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch new file mode 100644 index 0000000..c9ad71d --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-9049_CVE-2017-9050.patch
@@ -0,0 +1,321 @@
		1	From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Mon, 5 Jun 2017 15:37:17 +0200
		4	Subject: [PATCH] Fix handling of parameter-entity references
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	There were two bugs where parameter-entity references could lead to an
		10	unexpected change of the input buffer in xmlParseNameComplex and
		11	xmlDictLookup being called with an invalid pointer.
		12
		13	Percent sign in DTD Names
		14	=========================
		15
		16	The NEXTL macro used to call xmlParserHandlePEReference. When parsing
		17	"complex" names inside the DTD, this could result in entity expansion
		18	which created a new input buffer. The fix is to simply remove the call
		19	to xmlParserHandlePEReference from the NEXTL macro. This is safe because
		20	no users of the macro require expansion of parameter entities.
		21
		22	- xmlParseNameComplex
		23	- xmlParseNCNameComplex
		24	- xmlParseNmtoken
		25
		26	The percent sign is not allowed in names, which are grammatical tokens.
		27
		28	- xmlParseEntityValue
		29
		30	Parameter-entity references in entity values are expanded but this
		31	happens in a separate step in this function.
		32
		33	- xmlParseSystemLiteral
		34
		35	Parameter-entity references are ignored in the system literal.
		36
		37	- xmlParseAttValueComplex
		38	- xmlParseCharDataComplex
		39	- xmlParseCommentComplex
		40	- xmlParsePI
		41	- xmlParseCDSect
		42
		43	Parameter-entity references are ignored outside the DTD.
		44
		45	- xmlLoadEntityContent
		46
		47	This function is only called from xmlStringLenDecodeEntities and
		48	entities are replaced in a separate step immediately after the function
		49	call.
		50
		51	This bug could also be triggered with an internal subset and double
		52	entity expansion.
		53
		54	This fixes bug 766956 initially reported by Wei Lei and independently by
		55	Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
		56	involved.
		57
		58	xmlParseNameComplex with XML_PARSE_OLD10
		59	========================================
		60
		61	When parsing Names inside an expanded parameter entity with the
		62	XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
		63	GROW macro if the input buffer was exhausted. At the end of the
		64	parameter entity's replacement text, this function would then call
		65	xmlPopInput which invalidated the input buffer.
		66
		67	There should be no need to invoke GROW in this situation because the
		68	buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
		69	at least for UTF-8, in xmlCurrentChar. This also matches the code path
		70	executed when XML_PARSE_OLD10 is not set.
		71
		72	This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
		73	Thanks to Marcel Böhme and Thuan Pham for the report.
		74
		75	Additional hardening
		76	====================
		77
		78	A separate check was added in xmlParseNameComplex to validate the
		79	buffer size.
		80
		81	CVE: CVE-2017-9049 CVE-2017-9050
		82	Upstream-Status: Backport
		83
		84	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		85	---
		86	Makefile.am \| 18 ++++++++++++++++++
		87	parser.c \| 18 ++++++++++--------
		88	result/errors10/781205.xml \| 0
		89	result/errors10/781205.xml.err \| 21 +++++++++++++++++++++
		90	result/errors10/781361.xml \| 0
		91	result/errors10/781361.xml.err \| 13 +++++++++++++
		92	result/valid/766956.xml \| 0
		93	result/valid/766956.xml.err \| 9 +++++++++
		94	result/valid/766956.xml.err.rdr \| 10 ++++++++++
		95	runtest.c \| 3 +++
		96	test/errors10/781205.xml \| 3 +++
		97	test/errors10/781361.xml \| 3 +++
		98	test/valid/766956.xml \| 2 ++
		99	test/valid/dtds/766956.dtd \| 2 ++
		100	14 files changed, 94 insertions(+), 8 deletions(-)
		101	create mode 100644 result/errors10/781205.xml
		102	create mode 100644 result/errors10/781205.xml.err
		103	create mode 100644 result/errors10/781361.xml
		104	create mode 100644 result/errors10/781361.xml.err
		105	create mode 100644 result/valid/766956.xml
		106	create mode 100644 result/valid/766956.xml.err
		107	create mode 100644 result/valid/766956.xml.err.rdr
		108	create mode 100644 test/errors10/781205.xml
		109	create mode 100644 test/errors10/781361.xml
		110	create mode 100644 test/valid/766956.xml
		111	create mode 100644 test/valid/dtds/766956.dtd
		112
		113	diff --git a/Makefile.am b/Makefile.am
		114	index 6fc8ffa..10e716a 100644
		115	--- a/Makefile.am
		116	+++ b/Makefile.am
		117	@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
		118	if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
		119	rm result.$$name error.$$name ; \
		120	fi ; fi ; done)
		121	+ @echo "## Error cases regression tests (old 1.0)"
		122	+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
		123	+ name=`basename $$i`; \
		124	+ if [ ! -d $$i ] ; then \
		125	+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
		126	+ echo New test file $$name ; \
		127	+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
		128	+ 2> $(srcdir)/result/errors10/$$name.err \
		129	+ > $(srcdir)/result/errors10/$$name ; \
		130	+ grep "MORY ALLO" .memdump \| grep -v "MEMORY ALLOCATED : 0"; \
		131	+ else \
		132	+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
		133	+ grep "MORY ALLO" .memdump \| grep -v "MEMORY ALLOCATED : 0"; \
		134	+ diff $(srcdir)/result/errors10/$$name result.$$name ; \
		135	+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
		136	+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
		137	+ rm result.$$name error.$$name ; \
		138	+ fi ; fi ; done)
		139	@echo "## Error cases stream regression tests"
		140	-@(for i in $(srcdir)/test/errors/*.xml ; do \
		141	name=`basename $$i`; \
		142	diff --git a/parser.c b/parser.c
		143	index df2efa5..a175ac4 100644
		144	--- a/parser.c
		145	+++ b/parser.c
		146	@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
		147	ctxt->input->line++; ctxt->input->col = 1; \
		148	} else ctxt->input->col++; \
		149	ctxt->input->cur += l; \
		150	- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
		151	} while (0)
		152
		153	#define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
		154	@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
		155	len += l;
		156	NEXTL(l);
		157	c = CUR_CHAR(l);
		158	- if (c == 0) {
		159	- count = 0;
		160	- GROW;
		161	- if (ctxt->instate == XML_PARSER_EOF)
		162	- return(NULL);
		163	- c = CUR_CHAR(l);
		164	- }
		165	}
		166	}
		167	if ((len > XML_MAX_NAME_LENGTH) &&
		168	@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
		169	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
		170	return(NULL);
		171	}
		172	+ if (ctxt->input->cur - ctxt->input->base < len) {
		173	+ /*
		174	+ * There were a couple of bugs where PERefs lead to to a change
		175	+ * of the buffer. Check the buffer size to avoid passing an invalid
		176	+ * pointer to xmlDictLookup.
		177	+ */
		178	+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
		179	+ "unexpected change of input buffer");
		180	+ return (NULL);
		181	+ }
		182	if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
		183	return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
		184	return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
		185	diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
		186	new file mode 100644
		187	index 0000000..e69de29
		188	diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
		189	new file mode 100644
		190	index 0000000..da15c3f
		191	--- /dev/null
		192	+++ b/result/errors10/781205.xml.err
		193	@@ -0,0 +1,21 @@
		194	+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
		195	+
		196	+ %a;
		197	+ ^
		198	+Entity: line 1:
		199	+<:0000
		200	+^
		201	+Entity: line 1: parser error : DOCTYPE improperly terminated
		202	+ %a;
		203	+ ^
		204	+Entity: line 1:
		205	+<:0000
		206	+^
		207	+namespace error : Failed to parse QName ':0000'
		208	+ %a;
		209	+ ^
		210	+<:0000
		211	+ ^
		212	+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
		213	+
		214	+^
		215	diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
		216	new file mode 100644
		217	index 0000000..e69de29
		218	diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
		219	new file mode 100644
		220	index 0000000..655f41a
		221	--- /dev/null
		222	+++ b/result/errors10/781361.xml.err
		223	@@ -0,0 +1,13 @@
		224	+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
		225	+
		226	+^
		227	+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
		228	+
		229	+
		230	+^
		231	+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
		232	+
		233	+^
		234	+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
		235	+
		236	+^
		237	diff --git a/result/valid/766956.xml b/result/valid/766956.xml
		238	new file mode 100644
		239	index 0000000..e69de29
		240	diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
		241	new file mode 100644
		242	index 0000000..34b1dae
		243	--- /dev/null
		244	+++ b/result/valid/766956.xml.err
		245	@@ -0,0 +1,9 @@
		246	+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
		247	+%ä%ent;
		248	+ ^
		249	+Entity: line 1: parser error : Content error in the external subset
		250	+ %ent;
		251	+ ^
		252	+Entity: line 1:
		253	+value
		254	+^
		255	diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
		256	new file mode 100644
		257	index 0000000..7760346
		258	--- /dev/null
		259	+++ b/result/valid/766956.xml.err.rdr
		260	@@ -0,0 +1,10 @@
		261	+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
		262	+%ä%ent;
		263	+ ^
		264	+Entity: line 1: parser error : Content error in the external subset
		265	+ %ent;
		266	+ ^
		267	+Entity: line 1:
		268	+value
		269	+^
		270	+./test/valid/766956.xml : failed to parse
		271	diff --git a/runtest.c b/runtest.c
		272	index b2ce693..378b38e 100644
		273	--- a/runtest.c
		274	+++ b/runtest.c
		275	@@ -4214,6 +4214,9 @@ testDesc testDescriptions[] = {
		276	{ "Error cases regression tests",
		277	errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
		278	0 },
		279	+ { "Error cases regression tests (old 1.0)",
		280	+ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
		281	+ XML_PARSE_OLD10 },
		282	#ifdef LIBXML_READER_ENABLED
		283	{ "Error cases stream regression tests",
		284	streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
		285	diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
		286	new file mode 100644
		287	index 0000000..d9e9e83
		288	--- /dev/null
		289	+++ b/test/errors10/781205.xml
		290	@@ -0,0 +1,3 @@
		291	+<!DOCTYPE D [
		292	+ <!ENTITY % a "<:0000">
		293	+ %a;
		294	diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
		295	new file mode 100644
		296	index 0000000..67476bc
		297	--- /dev/null
		298	+++ b/test/errors10/781361.xml
		299	@@ -0,0 +1,3 @@
		300	+<!DOCTYPE doc [
		301	+ <!ENTITY % elem "<!ELEMENT e0000000000">
		302	+ %elem;
		303	diff --git a/test/valid/766956.xml b/test/valid/766956.xml
		304	new file mode 100644
		305	index 0000000..19a95a0
		306	--- /dev/null
		307	+++ b/test/valid/766956.xml
		308	@@ -0,0 +1,2 @@
		309	+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
		310	+<test/>
		311	diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
		312	new file mode 100644
		313	index 0000000..dddde68
		314	--- /dev/null
		315	+++ b/test/valid/dtds/766956.dtd
		316	@@ -0,0 +1,2 @@
		317	+<!ENTITY % ent "value">
		318	+%ä%ent;
		319	--
		320	1.9.1
		321


diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend index e022135..c6e5705 100644 --- a/recipes-core/libxml/libxml2_%.bbappend +++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -3,5 +3,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3		3
4	SRC_URI += "file://CVE-2017-5969.patch \	4	SRC_URI += "file://CVE-2017-5969.patch \
5	file://CVE-2017-9047_CVE-2017-9048.patch \	5	file://CVE-2017-9047_CVE-2017-9048.patch \
		6	file://CVE-2017-9049_CVE-2017-9050.patch \
6	"	7	"
7		8