1 files changed, 66 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
new file mode 100644
index 0000000..e072ef1
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
+From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 13:21:14 +0200
+Subject: [PATCH] Check for integer overflow in memory debug code
+Fixes bug 783026.
+Thanks to Pranjal Jumde for the report.
+CVE: CVE-2017-5130
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ xmlmemory.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/xmlmemory.c b/xmlmemory.c
+index f08c8c3..c53141f 100644
+--- a/xmlmemory.c
+++ b/xmlmemory.c
+@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
+ 
+     TEST_POINT
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+ 
+     if (!p) {
+@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
+ #endif
+     xmlMutexUnlock(xmlMemMutex);
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
+     if (!tmp) {
+         free(p);
+@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
+     if (!xmlMemInitialized) xmlInitMemory();
+     TEST_POINT
+ 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocLoc : Unsigned overflow\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
+     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
+     if (!p) {
+       goto error;
+-- 
+2.7.4

diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch
@@ -0,0 +1,66 @@
	1	From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Tue, 6 Jun 2017 13:21:14 +0200
	4	Subject: [PATCH] Check for integer overflow in memory debug code
	5
	6	Fixes bug 783026.
	7
	8	Thanks to Pranjal Jumde for the report.
	9
	10	CVE: CVE-2017-5130
	11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed]
	12
	13	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	14	---
	15	xmlmemory.c \| 21 +++++++++++++++++++++
	16	1 file changed, 21 insertions(+)
	17
	18	diff --git a/xmlmemory.c b/xmlmemory.c
	19	index f08c8c3..c53141f 100644
	20	--- a/xmlmemory.c
	21	+++ b/xmlmemory.c
	22	@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
	23
	24	TEST_POINT
	25
	26	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	27	+ xmlGenericError(xmlGenericErrorContext,
	28	+ "xmlMallocLoc : Unsigned overflow\n");
	29	+ xmlMemoryDump();
	30	+ return(NULL);
	31	+ }
	32	+
	33	p = (MEMHDR *) malloc(RESERVE_SIZE+size);
	34
	35	if (!p) {
	36	@@ -352,6 +359,13 @@ xmlReallocLoc(void ptr,size_t size, const char file, int line)
	37	#endif
	38	xmlMutexUnlock(xmlMemMutex);
	39
	40	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	41	+ xmlGenericError(xmlGenericErrorContext,
	42	+ "xmlMallocLoc : Unsigned overflow\n");
	43	+ xmlMemoryDump();
	44	+ return(NULL);
	45	+ }
	46	+
	47	tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
	48	if (!tmp) {
	49	free(p);
	50	@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char str, const char file, int line)
	51	if (!xmlMemInitialized) xmlInitMemory();
	52	TEST_POINT
	53
	54	+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
	55	+ xmlGenericError(xmlGenericErrorContext,
	56	+ "xmlMallocLoc : Unsigned overflow\n");
	57	+ xmlMemoryDump();
	58	+ return(NULL);
	59	+ }
	60	+
	61	p = (MEMHDR *) malloc(RESERVE_SIZE+size);
	62	if (!p) {
	63	goto error;
	64	--
	65	2.7.4
	66