libxml2: Security fix for CVE-2016-1833

Affects libxml2 < 2.9.4 (From OE-Core rev: 990b5427fd3bf5c00ac7c5820d5f455378776b62) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-07-09 15:03:43 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-07-27 08:29:59 +0100
commit: 1ecd2f56aa274ce11c9d72f58289218d824ec995 (patch)
tree: 2facd740ab2916b3e33e9c4ecf06a6c82ceff3f6
parent: 1081306623cdac51b031d433acd6f77c1f83bf2d (diff)
download: poky-1ecd2f56aa274ce11c9d72f58289218d824ec995.tar.gz
2 files changed, 369 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch
new file mode 100644
index 0000000000..26a19b86e7
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch
@@ -0,0 +1,368 @@
+From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Tue, 1 Mar 2016 15:18:04 -0800
+Subject: [PATCH] Heap-based buffer overread in htmlCurrentChar
+For https://bugzilla.gnome.org/show_bug.cgi?id=758606
+* parserInternals.c:
+(xmlNextChar): Add an test to catch other issues on ctxt->input
+corruption proactively.
+For non-UTF-8 charsets, xmlNextChar() failed to check for the end
+of the input buffer and would continuing reading.  Fix this by
+pulling out the check for the end of the input buffer into common
+code, and return if we reach the end of the input buffer
+prematurely.
+* result/HTML/758606.html: Added.
+* result/HTML/758606.html.err: Added.
+* result/HTML/758606.html.sax: Added.
+* result/HTML/758606_2.html: Added.
+* result/HTML/758606_2.html.err: Added.
+* result/HTML/758606_2.html.sax: Added.
+* test/HTML/758606.html: Added test case.
+* test/HTML/758606_2.html: Added test case.
+Upstream-Status: Backport
+CVE: CVE-2016-1833
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parserInternals.c             | 172 ++++++++++++++++++++++--------------------
+ result/HTML/758606.html       |   2 +
+ result/HTML/758606.html.err   |  16 ++++
+ result/HTML/758606.html.sax   |  10 +++
+ result/HTML/758606_2.html     |   2 +
+ result/HTML/758606_2.html.err |  16 ++++
+ result/HTML/758606_2.html.sax |  17 +++++
+ test/HTML/758606.html         |   1 +
+ test/HTML/758606_2.html       |   1 +
+ 9 files changed, 154 insertions(+), 83 deletions(-)
+ create mode 100644 result/HTML/758606.html
+ create mode 100644 result/HTML/758606.html.err
+ create mode 100644 result/HTML/758606.html.sax
+ create mode 100644 result/HTML/758606_2.html
+ create mode 100644 result/HTML/758606_2.html.err
+ create mode 100644 result/HTML/758606_2.html.sax
+ create mode 100644 test/HTML/758606.html
+ create mode 100644 test/HTML/758606_2.html
+diff --git a/parserInternals.c b/parserInternals.c
+index 8c79678..bfc778a 100644
+--- a/parserInternals.c
+++ b/parserInternals.c
+@@ -55,6 +55,10 @@
+ #include <libxml/globals.h>
+ #include <libxml/chvalid.h>
+ 
+#define CUR(ctxt) ctxt->input->cur
+#define END(ctxt) ctxt->input->end
+#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
+
+ #include "buf.h"
+ #include "enc.h"
+ 
+@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
+         (ctxt->input == NULL))
+         return;
+ 
+-    if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
+-        if ((*ctxt->input->cur == 0) &&
+-            (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
+-            (ctxt->instate != XML_PARSER_COMMENT)) {
+-            /*
+-             * If we are at the end of the current entity and
+-             * the context allows it, we pop consumed entities
+-             * automatically.
+-             * the auto closing should be blocked in other cases
+-             */
+    if (!(VALID_CTXT(ctxt))) {
+        xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
+       ctxt->errNo = XML_ERR_INTERNAL_ERROR;
+        xmlStopParser(ctxt);
+       return;
+    }
+
+    if ((*ctxt->input->cur == 0) &&
+        (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
+        if ((ctxt->instate != XML_PARSER_COMMENT))
+             xmlPopInput(ctxt);
+-        } else {
+-            const unsigned char *cur;
+-            unsigned char c;
+        return;
+    }
+ 
+-            /*
+-             *   2.11 End-of-Line Handling
+-             *   the literal two-character sequence "#xD#xA" or a standalone
+-             *   literal #xD, an XML processor must pass to the application
+-             *   the single character #xA.
+-             */
+-            if (*(ctxt->input->cur) == '\n') {
+-                ctxt->input->line++; ctxt->input->col = 1;
+-            } else
+-                ctxt->input->col++;
+    if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
+        const unsigned char *cur;
+        unsigned char c;
+ 
+-            /*
+-             * We are supposed to handle UTF8, check it's valid
+-             * From rfc2044: encoding of the Unicode values on UTF-8:
+-             *
+-             * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+-             * 0000 0000-0000 007F   0xxxxxxx
+-             * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+-             * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+-             *
+-             * Check for the 0x110000 limit too
+-             */
+-            cur = ctxt->input->cur;
+        /*
+         *   2.11 End-of-Line Handling
+         *   the literal two-character sequence "#xD#xA" or a standalone
+         *   literal #xD, an XML processor must pass to the application
+         *   the single character #xA.
+         */
+        if (*(ctxt->input->cur) == '\n') {
+            ctxt->input->line++; ctxt->input->col = 1;
+        } else
+            ctxt->input->col++;
+ 
+-            c = *cur;
+-            if (c & 0x80) {
+-               if (c == 0xC0)
+-                   goto encoding_error;
+-                if (cur[1] == 0) {
+        /*
+         * We are supposed to handle UTF8, check it's valid
+         * From rfc2044: encoding of the Unicode values on UTF-8:
+         *
+         * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+         * 0000 0000-0000 007F   0xxxxxxx
+         * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+         * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+         *
+         * Check for the 0x110000 limit too
+         */
+        cur = ctxt->input->cur;
+
+        c = *cur;
+        if (c & 0x80) {
+        if (c == 0xC0)
+           goto encoding_error;
+            if (cur[1] == 0) {
+                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+                cur = ctxt->input->cur;
+            }
+            if ((cur[1] & 0xc0) != 0x80)
+                goto encoding_error;
+            if ((c & 0xe0) == 0xe0) {
+                unsigned int val;
+
+                if (cur[2] == 0) {
+                     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+                     cur = ctxt->input->cur;
+                 }
+-                if ((cur[1] & 0xc0) != 0x80)
+                if ((cur[2] & 0xc0) != 0x80)
+                     goto encoding_error;
+-                if ((c & 0xe0) == 0xe0) {
+-                    unsigned int val;
+-
+-                    if (cur[2] == 0) {
+                if ((c & 0xf0) == 0xf0) {
+                    if (cur[3] == 0) {
+                         xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+                         cur = ctxt->input->cur;
+                     }
+-                    if ((cur[2] & 0xc0) != 0x80)
+                    if (((c & 0xf8) != 0xf0) ||
+                        ((cur[3] & 0xc0) != 0x80))
+                         goto encoding_error;
+-                    if ((c & 0xf0) == 0xf0) {
+-                        if (cur[3] == 0) {
+-                            xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+-                            cur = ctxt->input->cur;
+-                        }
+-                        if (((c & 0xf8) != 0xf0) ||
+-                            ((cur[3] & 0xc0) != 0x80))
+-                            goto encoding_error;
+-                        /* 4-byte code */
+-                        ctxt->input->cur += 4;
+-                        val = (cur[0] & 0x7) << 18;
+-                        val |= (cur[1] & 0x3f) << 12;
+-                        val |= (cur[2] & 0x3f) << 6;
+-                        val |= cur[3] & 0x3f;
+-                    } else {
+-                        /* 3-byte code */
+-                        ctxt->input->cur += 3;
+-                        val = (cur[0] & 0xf) << 12;
+-                        val |= (cur[1] & 0x3f) << 6;
+-                        val |= cur[2] & 0x3f;
+-                    }
+-                    if (((val > 0xd7ff) && (val < 0xe000)) ||
+-                        ((val > 0xfffd) && (val < 0x10000)) ||
+-                        (val >= 0x110000)) {
+-                       xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+-                                         "Char 0x%X out of allowed range\n",
+-                                         val);
+-                    }
+-                } else
+-                    /* 2-byte code */
+-                    ctxt->input->cur += 2;
+                    /* 4-byte code */
+                    ctxt->input->cur += 4;
+                    val = (cur[0] & 0x7) << 18;
+                    val |= (cur[1] & 0x3f) << 12;
+                    val |= (cur[2] & 0x3f) << 6;
+                    val |= cur[3] & 0x3f;
+                } else {
+                    /* 3-byte code */
+                    ctxt->input->cur += 3;
+                    val = (cur[0] & 0xf) << 12;
+                    val |= (cur[1] & 0x3f) << 6;
+                    val |= cur[2] & 0x3f;
+                }
+                if (((val > 0xd7ff) && (val < 0xe000)) ||
+                    ((val > 0xfffd) && (val < 0x10000)) ||
+                    (val >= 0x110000)) {
+               xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+                                 "Char 0x%X out of allowed range\n",
+                                 val);
+                }
+             } else
+-                /* 1-byte code */
+-                ctxt->input->cur++;
+                /* 2-byte code */
+                ctxt->input->cur += 2;
+        } else
+            /* 1-byte code */
+            ctxt->input->cur++;
+ 
+-            ctxt->nbChars++;
+-            if (*ctxt->input->cur == 0)
+-                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+-        }
+        ctxt->nbChars++;
+        if (*ctxt->input->cur == 0)
+            xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+     } else {
+         /*
+          * Assume it's a fixed length encoding (1) with
+diff --git a/result/HTML/758606.html b/result/HTML/758606.html
+new file mode 100644
+index 0000000..4f21f62
+--- /dev/null
+++ b/result/HTML/758606.html
+@@ -0,0 +1,2 @@
+<!DOCTYPE >
+
+diff --git a/result/HTML/758606.html.err b/result/HTML/758606.html.err
+new file mode 100644
+index 0000000..060433a
+--- /dev/null
+++ b/result/HTML/758606.html.err
+@@ -0,0 +1,16 @@
+./test/HTML/758606.html:1: HTML parser error : Comment not terminated 
+<!--
+<!--<!doctype
+    ^
+./test/HTML/758606.html:1: HTML parser error : Invalid char in CDATA 0xC
+<!--<!doctype
+    ^
+./test/HTML/758606.html:1: HTML parser error : Misplaced DOCTYPE declaration
+<!--<!doctype
+     ^
+./test/HTML/758606.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
+
+^
+./test/HTML/758606.html:2: HTML parser error : DOCTYPE improperly terminated
+
+^
+diff --git a/result/HTML/758606.html.sax b/result/HTML/758606.html.sax
+new file mode 100644
+index 0000000..d44a5cf
+--- /dev/null
+++ b/result/HTML/758606.html.sax
+@@ -0,0 +1,10 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.error: Comment not terminated 
+<!--
+SAX.error: Invalid char in CDATA 0xC
+SAX.error: Misplaced DOCTYPE declaration
+SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
+SAX.error: DOCTYPE improperly terminated
+SAX.internalSubset((null), , )
+SAX.endDocument()
+diff --git a/result/HTML/758606_2.html b/result/HTML/758606_2.html
+new file mode 100644
+index 0000000..273816a
+--- /dev/null
+++ b/result/HTML/758606_2.html
+@@ -0,0 +1,2 @@
+<!DOCTYPE >
+<html><body><p>&#145;</p></body></html>
+diff --git a/result/HTML/758606_2.html.err b/result/HTML/758606_2.html.err
+new file mode 100644
+index 0000000..4be039f
+--- /dev/null
+++ b/result/HTML/758606_2.html.err
+@@ -0,0 +1,16 @@
+./test/HTML/758606_2.html:1: HTML parser error : Comment not terminated 
+<!--
+<!--�<!dOctYPE
+    ^
+./test/HTML/758606_2.html:1: HTML parser error : Invalid char in CDATA 0xC
+<!--�<!dOctYPE
+    ^
+./test/HTML/758606_2.html:1: HTML parser error : Misplaced DOCTYPE declaration
+<!dOctYPE
+  ^
+./test/HTML/758606_2.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
+
+^
+./test/HTML/758606_2.html:2: HTML parser error : DOCTYPE improperly terminated
+
+^
+diff --git a/result/HTML/758606_2.html.sax b/result/HTML/758606_2.html.sax
+new file mode 100644
+index 0000000..80ff3d7
+--- /dev/null
+++ b/result/HTML/758606_2.html.sax
+@@ -0,0 +1,17 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.error: Comment not terminated 
+<!--
+SAX.error: Invalid char in CDATA 0xC
+SAX.startElement(html)
+SAX.startElement(body)
+SAX.startElement(p)
+SAX.characters(&#145;, 2)
+SAX.error: Misplaced DOCTYPE declaration
+SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
+SAX.error: DOCTYPE improperly terminated
+SAX.internalSubset((null), , )
+SAX.endElement(p)
+SAX.endElement(body)
+SAX.endElement(html)
+SAX.endDocument()
+diff --git a/test/HTML/758606.html b/test/HTML/758606.html
+new file mode 100644
+index 0000000..01a013c
+--- /dev/null
+++ b/test/HTML/758606.html
+@@ -0,0 +1 @@
+<!--<!doctype
+diff --git a/test/HTML/758606_2.html b/test/HTML/758606_2.html
+new file mode 100644
+index 0000000..daa185b
+--- /dev/null
+++ b/test/HTML/758606_2.html
+@@ -0,0 +1 @@
+<!--�<!dOctYPE
+-- 
+2.3.5
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 2bbdb0961d..76efa9ffca 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
            file://CVE-2016-4449.patch \
            file://CVE-2016-1837.patch \
            file://CVE-2016-1835.patch \
+            file://CVE-2016-1833.patch \
    "
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
author	Armin Kuster <akuster@mvista.com>	2016-07-09 15:03:43 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-07-27 08:29:59 +0100
commit	1ecd2f56aa274ce11c9d72f58289218d824ec995 (patch)
tree	2facd740ab2916b3e33e9c4ecf06a6c82ceff3f6
parent	1081306623cdac51b031d433acd6f77c1f83bf2d (diff)
download	poky-1ecd2f56aa274ce11c9d72f58289218d824ec995.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch new file mode 100644 index 0000000000..26a19b86e7 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch
@@ -0,0 +1,368 @@
		1	From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001
		2	From: Pranjal Jumde <pjumde@apple.com>
		3	Date: Tue, 1 Mar 2016 15:18:04 -0800
		4	Subject: [PATCH] Heap-based buffer overread in htmlCurrentChar
		5
		6	For https://bugzilla.gnome.org/show_bug.cgi?id=758606
		7
		8	* parserInternals.c:
		9	(xmlNextChar): Add an test to catch other issues on ctxt->input
		10	corruption proactively.
		11	For non-UTF-8 charsets, xmlNextChar() failed to check for the end
		12	of the input buffer and would continuing reading. Fix this by
		13	pulling out the check for the end of the input buffer into common
		14	code, and return if we reach the end of the input buffer
		15	prematurely.
		16	* result/HTML/758606.html: Added.
		17	* result/HTML/758606.html.err: Added.
		18	* result/HTML/758606.html.sax: Added.
		19	* result/HTML/758606_2.html: Added.
		20	* result/HTML/758606_2.html.err: Added.
		21	* result/HTML/758606_2.html.sax: Added.
		22	* test/HTML/758606.html: Added test case.
		23	* test/HTML/758606_2.html: Added test case.
		24
		25	Upstream-Status: Backport
		26	CVE: CVE-2016-1833
		27	Signed-off-by: Armin Kuster <akuster@mvista.com>
		28
		29	---
		30	parserInternals.c \| 172 ++++++++++++++++++++++--------------------
		31	result/HTML/758606.html \| 2 +
		32	result/HTML/758606.html.err \| 16 ++++
		33	result/HTML/758606.html.sax \| 10 +++
		34	result/HTML/758606_2.html \| 2 +
		35	result/HTML/758606_2.html.err \| 16 ++++
		36	result/HTML/758606_2.html.sax \| 17 +++++
		37	test/HTML/758606.html \| 1 +
		38	test/HTML/758606_2.html \| 1 +
		39	9 files changed, 154 insertions(+), 83 deletions(-)
		40	create mode 100644 result/HTML/758606.html
		41	create mode 100644 result/HTML/758606.html.err
		42	create mode 100644 result/HTML/758606.html.sax
		43	create mode 100644 result/HTML/758606_2.html
		44	create mode 100644 result/HTML/758606_2.html.err
		45	create mode 100644 result/HTML/758606_2.html.sax
		46	create mode 100644 test/HTML/758606.html
		47	create mode 100644 test/HTML/758606_2.html
		48
		49	diff --git a/parserInternals.c b/parserInternals.c
		50	index 8c79678..bfc778a 100644
		51	--- a/parserInternals.c
		52	+++ b/parserInternals.c
		53	@@ -55,6 +55,10 @@
		54	#include <libxml/globals.h>
		55	#include <libxml/chvalid.h>
		56
		57	+#define CUR(ctxt) ctxt->input->cur
		58	+#define END(ctxt) ctxt->input->end
		59	+#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
		60	+
		61	#include "buf.h"
		62	#include "enc.h"
		63
		64	@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
		65	(ctxt->input == NULL))
		66	return;
		67
		68	- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
		69	- if ((*ctxt->input->cur == 0) &&
		70	- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
		71	- (ctxt->instate != XML_PARSER_COMMENT)) {
		72	- /*
		73	- * If we are at the end of the current entity and
		74	- * the context allows it, we pop consumed entities
		75	- * automatically.
		76	- * the auto closing should be blocked in other cases
		77	- */
		78	+ if (!(VALID_CTXT(ctxt))) {
		79	+ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
		80	+ ctxt->errNo = XML_ERR_INTERNAL_ERROR;
		81	+ xmlStopParser(ctxt);
		82	+ return;
		83	+ }
		84	+
		85	+ if ((*ctxt->input->cur == 0) &&
		86	+ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
		87	+ if ((ctxt->instate != XML_PARSER_COMMENT))
		88	xmlPopInput(ctxt);
		89	- } else {
		90	- const unsigned char *cur;
		91	- unsigned char c;
		92	+ return;
		93	+ }
		94
		95	- /*
		96	- * 2.11 End-of-Line Handling
		97	- * the literal two-character sequence "#xD#xA" or a standalone
		98	- * literal #xD, an XML processor must pass to the application
		99	- * the single character #xA.
		100	- */
		101	- if (*(ctxt->input->cur) == '\n') {
		102	- ctxt->input->line++; ctxt->input->col = 1;
		103	- } else
		104	- ctxt->input->col++;
		105	+ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
		106	+ const unsigned char *cur;
		107	+ unsigned char c;
		108
		109	- /*
		110	- * We are supposed to handle UTF8, check it's valid
		111	- * From rfc2044: encoding of the Unicode values on UTF-8:
		112	- *
		113	- * UCS-4 range (hex.) UTF-8 octet sequence (binary)
		114	- * 0000 0000-0000 007F 0xxxxxxx
		115	- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
		116	- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
		117	- *
		118	- * Check for the 0x110000 limit too
		119	- */
		120	- cur = ctxt->input->cur;
		121	+ /*
		122	+ * 2.11 End-of-Line Handling
		123	+ * the literal two-character sequence "#xD#xA" or a standalone
		124	+ * literal #xD, an XML processor must pass to the application
		125	+ * the single character #xA.
		126	+ */
		127	+ if (*(ctxt->input->cur) == '\n') {
		128	+ ctxt->input->line++; ctxt->input->col = 1;
		129	+ } else
		130	+ ctxt->input->col++;
		131
		132	- c = *cur;
		133	- if (c & 0x80) {
		134	- if (c == 0xC0)
		135	- goto encoding_error;
		136	- if (cur[1] == 0) {
		137	+ /*
		138	+ * We are supposed to handle UTF8, check it's valid
		139	+ * From rfc2044: encoding of the Unicode values on UTF-8:
		140	+ *
		141	+ * UCS-4 range (hex.) UTF-8 octet sequence (binary)
		142	+ * 0000 0000-0000 007F 0xxxxxxx
		143	+ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
		144	+ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
		145	+ *
		146	+ * Check for the 0x110000 limit too
		147	+ */
		148	+ cur = ctxt->input->cur;
		149	+
		150	+ c = *cur;
		151	+ if (c & 0x80) {
		152	+ if (c == 0xC0)
		153	+ goto encoding_error;
		154	+ if (cur[1] == 0) {
		155	+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
		156	+ cur = ctxt->input->cur;
		157	+ }
		158	+ if ((cur[1] & 0xc0) != 0x80)
		159	+ goto encoding_error;
		160	+ if ((c & 0xe0) == 0xe0) {
		161	+ unsigned int val;
		162	+
		163	+ if (cur[2] == 0) {
		164	xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
		165	cur = ctxt->input->cur;
		166	}
		167	- if ((cur[1] & 0xc0) != 0x80)
		168	+ if ((cur[2] & 0xc0) != 0x80)
		169	goto encoding_error;
		170	- if ((c & 0xe0) == 0xe0) {
		171	- unsigned int val;
		172	-
		173	- if (cur[2] == 0) {
		174	+ if ((c & 0xf0) == 0xf0) {
		175	+ if (cur[3] == 0) {
		176	xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
		177	cur = ctxt->input->cur;
		178	}
		179	- if ((cur[2] & 0xc0) != 0x80)
		180	+ if (((c & 0xf8) != 0xf0) \|\|
		181	+ ((cur[3] & 0xc0) != 0x80))
		182	goto encoding_error;
		183	- if ((c & 0xf0) == 0xf0) {
		184	- if (cur[3] == 0) {
		185	- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
		186	- cur = ctxt->input->cur;
		187	- }
		188	- if (((c & 0xf8) != 0xf0) \|\|
		189	- ((cur[3] & 0xc0) != 0x80))
		190	- goto encoding_error;
		191	- /* 4-byte code */
		192	- ctxt->input->cur += 4;
		193	- val = (cur[0] & 0x7) << 18;
		194	- val \|= (cur[1] & 0x3f) << 12;
		195	- val \|= (cur[2] & 0x3f) << 6;
		196	- val \|= cur[3] & 0x3f;
		197	- } else {
		198	- /* 3-byte code */
		199	- ctxt->input->cur += 3;
		200	- val = (cur[0] & 0xf) << 12;
		201	- val \|= (cur[1] & 0x3f) << 6;
		202	- val \|= cur[2] & 0x3f;
		203	- }
		204	- if (((val > 0xd7ff) && (val < 0xe000)) \|\|
		205	- ((val > 0xfffd) && (val < 0x10000)) \|\|
		206	- (val >= 0x110000)) {
		207	- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
		208	- "Char 0x%X out of allowed range\n",
		209	- val);
		210	- }
		211	- } else
		212	- /* 2-byte code */
		213	- ctxt->input->cur += 2;
		214	+ /* 4-byte code */
		215	+ ctxt->input->cur += 4;
		216	+ val = (cur[0] & 0x7) << 18;
		217	+ val \|= (cur[1] & 0x3f) << 12;
		218	+ val \|= (cur[2] & 0x3f) << 6;
		219	+ val \|= cur[3] & 0x3f;
		220	+ } else {
		221	+ /* 3-byte code */
		222	+ ctxt->input->cur += 3;
		223	+ val = (cur[0] & 0xf) << 12;
		224	+ val \|= (cur[1] & 0x3f) << 6;
		225	+ val \|= cur[2] & 0x3f;
		226	+ }
		227	+ if (((val > 0xd7ff) && (val < 0xe000)) \|\|
		228	+ ((val > 0xfffd) && (val < 0x10000)) \|\|
		229	+ (val >= 0x110000)) {
		230	+ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
		231	+ "Char 0x%X out of allowed range\n",
		232	+ val);
		233	+ }
		234	} else
		235	- /* 1-byte code */
		236	- ctxt->input->cur++;
		237	+ /* 2-byte code */
		238	+ ctxt->input->cur += 2;
		239	+ } else
		240	+ /* 1-byte code */
		241	+ ctxt->input->cur++;
		242
		243	- ctxt->nbChars++;
		244	- if (*ctxt->input->cur == 0)
		245	- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
		246	- }
		247	+ ctxt->nbChars++;
		248	+ if (*ctxt->input->cur == 0)
		249	+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
		250	} else {
		251	/*
		252	* Assume it's a fixed length encoding (1) with
		253	diff --git a/result/HTML/758606.html b/result/HTML/758606.html
		254	new file mode 100644
		255	index 0000000..4f21f62
		256	--- /dev/null
		257	+++ b/result/HTML/758606.html
		258	@@ -0,0 +1,2 @@
		259	+<!DOCTYPE >
		260	+
		261	diff --git a/result/HTML/758606.html.err b/result/HTML/758606.html.err
		262	new file mode 100644
		263	index 0000000..060433a
		264	--- /dev/null
		265	+++ b/result/HTML/758606.html.err
		266	@@ -0,0 +1,16 @@
		267	+./test/HTML/758606.html:1: HTML parser error : Comment not terminated
		268	+<!--
		269	+<!--<!doctype
		270	+ ^
		271	+./test/HTML/758606.html:1: HTML parser error : Invalid char in CDATA 0xC
		272	+<!--<!doctype
		273	+ ^
		274	+./test/HTML/758606.html:1: HTML parser error : Misplaced DOCTYPE declaration
		275	+<!--<!doctype
		276	+ ^
		277	+./test/HTML/758606.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
		278	+
		279	+^
		280	+./test/HTML/758606.html:2: HTML parser error : DOCTYPE improperly terminated
		281	+
		282	+^
		283	diff --git a/result/HTML/758606.html.sax b/result/HTML/758606.html.sax
		284	new file mode 100644
		285	index 0000000..d44a5cf
		286	--- /dev/null
		287	+++ b/result/HTML/758606.html.sax
		288	@@ -0,0 +1,10 @@
		289	+SAX.setDocumentLocator()
		290	+SAX.startDocument()
		291	+SAX.error: Comment not terminated
		292	+<!--
		293	+SAX.error: Invalid char in CDATA 0xC
		294	+SAX.error: Misplaced DOCTYPE declaration
		295	+SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
		296	+SAX.error: DOCTYPE improperly terminated
		297	+SAX.internalSubset((null), , )
		298	+SAX.endDocument()
		299	diff --git a/result/HTML/758606_2.html b/result/HTML/758606_2.html
		300	new file mode 100644
		301	index 0000000..273816a
		302	--- /dev/null
		303	+++ b/result/HTML/758606_2.html
		304	@@ -0,0 +1,2 @@
		305	+<!DOCTYPE >
		306	+<html><body><p></p></body></html>
		307	diff --git a/result/HTML/758606_2.html.err b/result/HTML/758606_2.html.err
		308	new file mode 100644
		309	index 0000000..4be039f
		310	--- /dev/null
		311	+++ b/result/HTML/758606_2.html.err
		312	@@ -0,0 +1,16 @@
		313	+./test/HTML/758606_2.html:1: HTML parser error : Comment not terminated
		314	+<!--
		315	+<!--�<!dOctYPE
		316	+ ^
		317	+./test/HTML/758606_2.html:1: HTML parser error : Invalid char in CDATA 0xC
		318	+<!--�<!dOctYPE
		319	+ ^
		320	+./test/HTML/758606_2.html:1: HTML parser error : Misplaced DOCTYPE declaration
		321	+<!dOctYPE
		322	+ ^
		323	+./test/HTML/758606_2.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
		324	+
		325	+^
		326	+./test/HTML/758606_2.html:2: HTML parser error : DOCTYPE improperly terminated
		327	+
		328	+^
		329	diff --git a/result/HTML/758606_2.html.sax b/result/HTML/758606_2.html.sax
		330	new file mode 100644
		331	index 0000000..80ff3d7
		332	--- /dev/null
		333	+++ b/result/HTML/758606_2.html.sax
		334	@@ -0,0 +1,17 @@
		335	+SAX.setDocumentLocator()
		336	+SAX.startDocument()
		337	+SAX.error: Comment not terminated
		338	+<!--
		339	+SAX.error: Invalid char in CDATA 0xC
		340	+SAX.startElement(html)
		341	+SAX.startElement(body)
		342	+SAX.startElement(p)
		343	+SAX.characters(, 2)
		344	+SAX.error: Misplaced DOCTYPE declaration
		345	+SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
		346	+SAX.error: DOCTYPE improperly terminated
		347	+SAX.internalSubset((null), , )
		348	+SAX.endElement(p)
		349	+SAX.endElement(body)
		350	+SAX.endElement(html)
		351	+SAX.endDocument()
		352	diff --git a/test/HTML/758606.html b/test/HTML/758606.html
		353	new file mode 100644
		354	index 0000000..01a013c
		355	--- /dev/null
		356	+++ b/test/HTML/758606.html
		357	@@ -0,0 +1 @@
		358	+<!--<!doctype
		359	diff --git a/test/HTML/758606_2.html b/test/HTML/758606_2.html
		360	new file mode 100644
		361	index 0000000..daa185b
		362	--- /dev/null
		363	+++ b/test/HTML/758606_2.html
		364	@@ -0,0 +1 @@
		365	+<!--�<!dOctYPE
		366	--
		367	2.3.5
		368


diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 2bbdb0961d..76efa9ffca 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
15	file://CVE-2016-4449.patch \	15	file://CVE-2016-4449.patch \
16	file://CVE-2016-1837.patch \	16	file://CVE-2016-1837.patch \
17	file://CVE-2016-1835.patch \	17	file://CVE-2016-1835.patch \
		18	file://CVE-2016-1833.patch \
18	"	19	"
19		20
20	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"	21	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"