libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges

Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. (From OE-Core rev: 00e928bd1c2aed9caeaf9e411743805d2139a023) (From OE-Core rev: cf810d5cc17cb6b9f53d21a404c89afe372accb7) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2016-12-12 14:20:20 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-01-11 17:21:46 +0000
commit: 359189b6e6e5307156b08f0b7922a79e6acea1e2 (patch)
tree: c062758dc743378e45163d130e97b1435ff52cc9 /meta
parent: 5ba779d5abdbb8707ec6b346c76b798a6cd0d98f (diff)
download: poky-359189b6e6e5307156b08f0b7922a79e6acea1e2.tar.gz
2 files changed, 270 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch
new file mode 100644
index 0000000000..5412e8c02a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch
@@ -0,0 +1,269 @@
+libxml2-2.9.4: Fix CVE-2016-4658
+[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658
+xpointer: Disallow namespace nodes in XPointer points and ranges
+Namespace nodes must be copied to avoid use-after-free errors.
+But they don't necessarily have a physical representation in a
+document, so simply disallow them in XPointer ranges.
+Upstream-Status: Backported 
+ - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
+ - [https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d54397a42d645f019c65]
+CVE: CVE-2016-4658
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
+diff --git a/xpointer.c b/xpointer.c
+index 676c510..911680d 100644
+--- a/xpointer.c
+++ b/xpointer.c
+@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
+ }
+ 
+ /**
+ * xmlXPtrNewRangeInternal:
+ * @start:  the starting node
+ * @startindex:  the start index
+ * @end:  the ending point
+ * @endindex:  the ending index
+ *
+ * Internal function to create a new xmlXPathObjectPtr of type range
+ *
+ * Returns the newly created object.
+ */
+static xmlXPathObjectPtr
+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
+                        xmlNodePtr end, int endindex) {
+    xmlXPathObjectPtr ret;
+
+    /*
+     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
+     * Disallow them for now.
+     */
+    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
+       return(NULL);
+    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
+       return(NULL);
+
+    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+    if (ret == NULL) {
+        xmlXPtrErrMemory("allocating range");
+       return(NULL);
+    }
+    memset(ret, 0, sizeof(xmlXPathObject));
+    ret->type = XPATH_RANGE;
+    ret->user = start;
+    ret->index = startindex;
+    ret->user2 = end;
+    ret->index2 = endindex;
+    return(ret);
+}
+
+/**
+  * xmlXPtrNewRange:
+  * @start:  the starting node
+  * @startindex:  the start index
+@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
+     if (endindex < 0)
+        return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = startindex;
+-    ret->user2 = end;
+-    ret->index2 = endindex;
+    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
+     if (end->type != XPATH_POINT)
+        return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start->user;
+-    ret->index = start->index;
+-    ret->user2 = end->user;
+-    ret->index2 = end->index;
+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
+                                 end->index);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
+     if (start->type != XPATH_POINT)
+        return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start->user;
+-    ret->index = start->index;
+-    ret->user2 = end;
+-    ret->index2 = -1;
+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
+     if (end->type != XPATH_POINT)
+        return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    ret->user2 = end->user;
+-    ret->index2 = end->index;
+    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
+     if (end == NULL)
+        return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    ret->user2 = end;
+-    ret->index2 = -1;
+    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
+     if (start == NULL)
+        return(NULL);
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    ret->user2 = NULL;
+-    ret->index2 = -1;
+    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
+     return(ret);
+ }
+ 
+@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
+  */
+ xmlXPathObjectPtr
+ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
+    xmlNodePtr endNode;
+    int endIndex;
+     xmlXPathObjectPtr ret;
+ 
+     if (start == NULL)
+@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
+        return(NULL);
+     switch (end->type) {
+        case XPATH_POINT:
+           endNode = end->user;
+           endIndex = end->index;
+           break;
+        case XPATH_RANGE:
+           endNode = end->user2;
+           endIndex = end->index2;
+            break;
+        case XPATH_NODESET:
+            /*
+@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
+             */
+            if (end->nodesetval->nodeNr <= 0)
+                return(NULL);
+           endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
+           endIndex = -1;
+            break;
+        default:
+            /* TODO */
+            return(NULL);
+     }
+ 
+-    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
+-    if (ret == NULL) {
+-        xmlXPtrErrMemory("allocating range");
+-       return(NULL);
+-    }
+-    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
+-    ret->type = XPATH_RANGE;
+-    ret->user = start;
+-    ret->index = -1;
+-    switch (end->type) {
+-       case XPATH_POINT:
+-           ret->user2 = end->user;
+-           ret->index2 = end->index;
+-           break;
+-       case XPATH_RANGE:
+-           ret->user2 = end->user2;
+-           ret->index2 = end->index2;
+-           break;
+-       case XPATH_NODESET: {
+-           ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
+-           ret->index2 = -1;
+-           break;
+-       }
+-       default:
+-           STRANGE
+-           return(NULL);
+-    }
+    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
+     xmlXPtrRangeCheckOrder(ret);
+     return(ret);
+ }
+@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+                case XPATH_RANGE: {
+                    xmlNodePtr node = tmp->user;
+                    if (node != NULL) {
+-                       if (node->type == XML_ATTRIBUTE_NODE) {
+-                           /* TODO: Namespace Nodes ??? */
+                       if ((node->type == XML_ATTRIBUTE_NODE) ||
+                            (node->type == XML_NAMESPACE_DECL)) {
+                            xmlXPathFreeObject(obj);
+                            xmlXPtrFreeLocationSet(newset);
+                            XP_ERROR(XPTR_SYNTAX_ERROR);
+@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+                case XPATH_RANGE: {
+                    xmlNodePtr node = tmp->user2;
+                    if (node != NULL) {
+-                       if (node->type == XML_ATTRIBUTE_NODE) {
+-                           /* TODO: Namespace Nodes ??? */
+                       if ((node->type == XML_ATTRIBUTE_NODE) ||
+                            (node->type == XML_NAMESPACE_DECL)) {
+                            xmlXPathFreeObject(obj);
+                            xmlXPtrFreeLocationSet(newset);
+                            XP_ERROR(XPTR_SYNTAX_ERROR);
diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb
index 66a89400e5..a1d1e9e12d 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml-m4-use-pkgconfig.patch \
           file://libxml2-fix_node_comparison.patch \
           file://libxml2-CVE-2016-5131.patch \
+           file://libxml2-CVE-2016-4658.patch \
          "
 SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
author	Andrej Valek <andrej.valek@siemens.com>	2016-12-12 14:20:20 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-01-11 17:21:46 +0000
commit	359189b6e6e5307156b08f0b7922a79e6acea1e2 (patch)
tree	c062758dc743378e45163d130e97b1435ff52cc9 /meta
parent	5ba779d5abdbb8707ec6b346c76b798a6cd0d98f (diff)
download	poky-359189b6e6e5307156b08f0b7922a79e6acea1e2.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch new file mode 100644 index 0000000000..5412e8c02a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/libxml2-CVE-2016-4658.patch
@@ -0,0 +1,269 @@
		1	libxml2-2.9.4: Fix CVE-2016-4658
		2
		3	[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658
		4
		5	xpointer: Disallow namespace nodes in XPointer points and ranges
		6
		7	Namespace nodes must be copied to avoid use-after-free errors.
		8	But they don't necessarily have a physical representation in a
		9	document, so simply disallow them in XPointer ranges.
		10
		11	Upstream-Status: Backported
		12	- [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
		13	- [https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d54397a42d645f019c65]
		14	CVE: CVE-2016-4658
		15	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		16	Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
		17
		18	diff --git a/xpointer.c b/xpointer.c
		19	index 676c510..911680d 100644
		20	--- a/xpointer.c
		21	+++ b/xpointer.c
		22	@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
		23	}
		24
		25	/**
		26	+ * xmlXPtrNewRangeInternal:
		27	+ * @start: the starting node
		28	+ * @startindex: the start index
		29	+ * @end: the ending point
		30	+ * @endindex: the ending index
		31	+ *
		32	+ * Internal function to create a new xmlXPathObjectPtr of type range
		33	+ *
		34	+ * Returns the newly created object.
		35	+ */
		36	+static xmlXPathObjectPtr
		37	+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
		38	+ xmlNodePtr end, int endindex) {
		39	+ xmlXPathObjectPtr ret;
		40	+
		41	+ /*
		42	+ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
		43	+ * Disallow them for now.
		44	+ */
		45	+ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
		46	+ return(NULL);
		47	+ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
		48	+ return(NULL);
		49	+
		50	+ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		51	+ if (ret == NULL) {
		52	+ xmlXPtrErrMemory("allocating range");
		53	+ return(NULL);
		54	+ }
		55	+ memset(ret, 0, sizeof(xmlXPathObject));
		56	+ ret->type = XPATH_RANGE;
		57	+ ret->user = start;
		58	+ ret->index = startindex;
		59	+ ret->user2 = end;
		60	+ ret->index2 = endindex;
		61	+ return(ret);
		62	+}
		63	+
		64	+/**
		65	* xmlXPtrNewRange:
		66	* @start: the starting node
		67	* @startindex: the start index
		68	@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
		69	if (endindex < 0)
		70	return(NULL);
		71
		72	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		73	- if (ret == NULL) {
		74	- xmlXPtrErrMemory("allocating range");
		75	- return(NULL);
		76	- }
		77	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		78	- ret->type = XPATH_RANGE;
		79	- ret->user = start;
		80	- ret->index = startindex;
		81	- ret->user2 = end;
		82	- ret->index2 = endindex;
		83	+ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
		84	xmlXPtrRangeCheckOrder(ret);
		85	return(ret);
		86	}
		87	@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
		88	if (end->type != XPATH_POINT)
		89	return(NULL);
		90
		91	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		92	- if (ret == NULL) {
		93	- xmlXPtrErrMemory("allocating range");
		94	- return(NULL);
		95	- }
		96	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		97	- ret->type = XPATH_RANGE;
		98	- ret->user = start->user;
		99	- ret->index = start->index;
		100	- ret->user2 = end->user;
		101	- ret->index2 = end->index;
		102	+ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
		103	+ end->index);
		104	xmlXPtrRangeCheckOrder(ret);
		105	return(ret);
		106	}
		107	@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
		108	if (start->type != XPATH_POINT)
		109	return(NULL);
		110
		111	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		112	- if (ret == NULL) {
		113	- xmlXPtrErrMemory("allocating range");
		114	- return(NULL);
		115	- }
		116	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		117	- ret->type = XPATH_RANGE;
		118	- ret->user = start->user;
		119	- ret->index = start->index;
		120	- ret->user2 = end;
		121	- ret->index2 = -1;
		122	+ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
		123	xmlXPtrRangeCheckOrder(ret);
		124	return(ret);
		125	}
		126	@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
		127	if (end->type != XPATH_POINT)
		128	return(NULL);
		129
		130	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		131	- if (ret == NULL) {
		132	- xmlXPtrErrMemory("allocating range");
		133	- return(NULL);
		134	- }
		135	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		136	- ret->type = XPATH_RANGE;
		137	- ret->user = start;
		138	- ret->index = -1;
		139	- ret->user2 = end->user;
		140	- ret->index2 = end->index;
		141	+ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
		142	xmlXPtrRangeCheckOrder(ret);
		143	return(ret);
		144	}
		145	@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
		146	if (end == NULL)
		147	return(NULL);
		148
		149	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		150	- if (ret == NULL) {
		151	- xmlXPtrErrMemory("allocating range");
		152	- return(NULL);
		153	- }
		154	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		155	- ret->type = XPATH_RANGE;
		156	- ret->user = start;
		157	- ret->index = -1;
		158	- ret->user2 = end;
		159	- ret->index2 = -1;
		160	+ ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
		161	xmlXPtrRangeCheckOrder(ret);
		162	return(ret);
		163	}
		164	@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
		165	if (start == NULL)
		166	return(NULL);
		167
		168	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		169	- if (ret == NULL) {
		170	- xmlXPtrErrMemory("allocating range");
		171	- return(NULL);
		172	- }
		173	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		174	- ret->type = XPATH_RANGE;
		175	- ret->user = start;
		176	- ret->index = -1;
		177	- ret->user2 = NULL;
		178	- ret->index2 = -1;
		179	+ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
		180	return(ret);
		181	}
		182
		183	@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
		184	*/
		185	xmlXPathObjectPtr
		186	xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
		187	+ xmlNodePtr endNode;
		188	+ int endIndex;
		189	xmlXPathObjectPtr ret;
		190
		191	if (start == NULL)
		192	@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
		193	return(NULL);
		194	switch (end->type) {
		195	case XPATH_POINT:
		196	+ endNode = end->user;
		197	+ endIndex = end->index;
		198	+ break;
		199	case XPATH_RANGE:
		200	+ endNode = end->user2;
		201	+ endIndex = end->index2;
		202	break;
		203	case XPATH_NODESET:
		204	/*
		205	@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
		206	*/
		207	if (end->nodesetval->nodeNr <= 0)
		208	return(NULL);
		209	+ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
		210	+ endIndex = -1;
		211	break;
		212	default:
		213	/* TODO */
		214	return(NULL);
		215	}
		216
		217	- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
		218	- if (ret == NULL) {
		219	- xmlXPtrErrMemory("allocating range");
		220	- return(NULL);
		221	- }
		222	- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
		223	- ret->type = XPATH_RANGE;
		224	- ret->user = start;
		225	- ret->index = -1;
		226	- switch (end->type) {
		227	- case XPATH_POINT:
		228	- ret->user2 = end->user;
		229	- ret->index2 = end->index;
		230	- break;
		231	- case XPATH_RANGE:
		232	- ret->user2 = end->user2;
		233	- ret->index2 = end->index2;
		234	- break;
		235	- case XPATH_NODESET: {
		236	- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
		237	- ret->index2 = -1;
		238	- break;
		239	- }
		240	- default:
		241	- STRANGE
		242	- return(NULL);
		243	- }
		244	+ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
		245	xmlXPtrRangeCheckOrder(ret);
		246	return(ret);
		247	}
		248	@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
		249	case XPATH_RANGE: {
		250	xmlNodePtr node = tmp->user;
		251	if (node != NULL) {
		252	- if (node->type == XML_ATTRIBUTE_NODE) {
		253	- /* TODO: Namespace Nodes ??? */
		254	+ if ((node->type == XML_ATTRIBUTE_NODE) \|\|
		255	+ (node->type == XML_NAMESPACE_DECL)) {
		256	xmlXPathFreeObject(obj);
		257	xmlXPtrFreeLocationSet(newset);
		258	XP_ERROR(XPTR_SYNTAX_ERROR);
		259	@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
		260	case XPATH_RANGE: {
		261	xmlNodePtr node = tmp->user2;
		262	if (node != NULL) {
		263	- if (node->type == XML_ATTRIBUTE_NODE) {
		264	- /* TODO: Namespace Nodes ??? */
		265	+ if ((node->type == XML_ATTRIBUTE_NODE) \|\|
		266	+ (node->type == XML_NAMESPACE_DECL)) {
		267	xmlXPathFreeObject(obj);
		268	xmlXPtrFreeLocationSet(newset);
		269	XP_ERROR(XPTR_SYNTAX_ERROR);


diff --git a/meta/recipes-core/libxml/libxml2_2.9.4.bb b/meta/recipes-core/libxml/libxml2_2.9.4.bb index 66a89400e5..a1d1e9e12d 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.4.bb
@@ -21,6 +21,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
21	file://libxml-m4-use-pkgconfig.patch \	21	file://libxml-m4-use-pkgconfig.patch \
22	file://libxml2-fix_node_comparison.patch \	22	file://libxml2-fix_node_comparison.patch \
23	file://libxml2-CVE-2016-5131.patch \	23	file://libxml2-CVE-2016-5131.patch \
		24	file://libxml2-CVE-2016-4658.patch \
24	"	25	"
25		26
26	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"	27	SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"