libxml2: refresh CVE-2017-8872

The patch associated with the CVE-2017-8872 report was never merged into
libxml2, but a slightly different patch for the same problem was.  Cherry-pick
that as a backport, which also fixes the failing test suite.

(From OE-Core rev: 512869aea6dde1bb2374601f7c4d793ac9edaa42)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 50 insertions, 23 deletions

diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
index b34479f318..42a4b0ed60 100644
--- a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -1,38 +1,65 @@
-From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001
-From: Salvatore Bonaccorso <carnil@debian.org>
-Date: Tue, 3 Jul 2018 15:54:03 +0800
-Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
+Upstream-Status: Backport
+CVE: CVE-2017-8872
+Signed-off-by: Ross Burton <ross.burton@intel.com>
 
-https://bugzilla.gnome.org/show_bug.cgi?id=775200
-Fixes bug 775200.
+From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Sep 2018 14:52:07 +0200
+Subject: [PATCH] Free input buffer in xmlHaltParser
 
-Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+This avoids miscalculation of available bytes.
 
-Upstream-Status: Submitted
-https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193
-CVE: CVE-2017-8872
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Thanks to Yunho Kim for the report.
+
+Closes: #26
 ---
- parser.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
+ parser.c                     |  5 +++++
+ result/errors/759573.xml.err | 17 +++++++----------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
 
 diff --git a/parser.c b/parser.c
-index ca9fde2..fb4c889 100644
+index ca9fde2c..5813a664 100644
 --- a/parser.c
 +++ b/parser.c
-@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+@@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
+            ctxt->input->free((xmlChar *) ctxt->input->base);
+            ctxt->input->free = NULL;
         }
++        if (ctxt->input->buf != NULL) {
++            xmlFreeParserInputBuffer(ctxt->input->buf);
++            ctxt->input->buf = NULL;
++        }
         ctxt->input->cur = BAD_CAST"";
++        ctxt->input->length = 0;
         ctxt->input->base = ctxt->input->cur;
--        ctxt->input->end = ctxt->input->cur;
-+       ctxt->input->end = ctxt->input->cur;
-+       if (ctxt->input->buf)
-+           xmlBufEmpty (ctxt->input->buf->buffer);
-+       else
-+           ctxt->input->length = 0;
+         ctxt->input->end = ctxt->input->cur;
      }
- }
+diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
+index 554039f6..38ef5c40 100644
+--- a/result/errors/759573.xml.err
++++ b/result/errors/759573.xml.err
+@@ -21,14 +21,11 @@ Entity: line 1:
+             ^
+ ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
  
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-     ^
++
++^
+ ./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-     ^
+-./test/errors/759573.xml:1: parser error : StartTag: invalid element name
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-      ^
+-./test/errors/759573.xml:1: parser error : Extra content at the end of the document
+-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
+-      ^
++
++^
++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
++
++^
 -- 
-2.7.4
+2.11.0