summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch73
1 files changed, 50 insertions, 23 deletions
diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
index b34479f318..42a4b0ed60 100644
--- a/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2017-8872.patch
@@ -1,38 +1,65 @@
1From b4bee17b158e289e5c4c9045e64e5374ccafe068 Mon Sep 17 00:00:00 2001 1Upstream-Status: Backport
2From: Salvatore Bonaccorso <carnil@debian.org> 2CVE: CVE-2017-8872
3Date: Tue, 3 Jul 2018 15:54:03 +0800 3Signed-off-by: Ross Burton <ross.burton@intel.com>
4Subject: [PATCH] Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872)
5 4
6https://bugzilla.gnome.org/show_bug.cgi?id=775200 5From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001
7Fixes bug 775200. 6From: Nick Wellnhofer <wellnhofer@aevum.de>
7Date: Tue, 11 Sep 2018 14:52:07 +0200
8Subject: [PATCH] Free input buffer in xmlHaltParser
8 9
9Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> 10This avoids miscalculation of available bytes.
10 11
11Upstream-Status: Submitted 12Thanks to Yunho Kim for the report.
12https://bug775200.bugzilla-attachments.gnome.org/attachment.cgi?id=366193 13
13CVE: CVE-2017-8872 14Closes: #26
14Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
15--- 15---
16 parser.c | 6 +++++- 16 parser.c | 5 +++++
17 1 file changed, 5 insertions(+), 1 deletion(-) 17 result/errors/759573.xml.err | 17 +++++++----------
18 2 files changed, 12 insertions(+), 10 deletions(-)
18 19
19diff --git a/parser.c b/parser.c 20diff --git a/parser.c b/parser.c
20index ca9fde2..fb4c889 100644 21index ca9fde2c..5813a664 100644
21--- a/parser.c 22--- a/parser.c
22+++ b/parser.c 23+++ b/parser.c
23@@ -12464,7 +12464,11 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { 24@@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
25 ctxt->input->free((xmlChar *) ctxt->input->base);
26 ctxt->input->free = NULL;
24 } 27 }
28+ if (ctxt->input->buf != NULL) {
29+ xmlFreeParserInputBuffer(ctxt->input->buf);
30+ ctxt->input->buf = NULL;
31+ }
25 ctxt->input->cur = BAD_CAST""; 32 ctxt->input->cur = BAD_CAST"";
33+ ctxt->input->length = 0;
26 ctxt->input->base = ctxt->input->cur; 34 ctxt->input->base = ctxt->input->cur;
27- ctxt->input->end = ctxt->input->cur; 35 ctxt->input->end = ctxt->input->cur;
28+ ctxt->input->end = ctxt->input->cur;
29+ if (ctxt->input->buf)
30+ xmlBufEmpty (ctxt->input->buf->buffer);
31+ else
32+ ctxt->input->length = 0;
33 } 36 }
34 } 37diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
38index 554039f6..38ef5c40 100644
39--- a/result/errors/759573.xml.err
40+++ b/result/errors/759573.xml.err
41@@ -21,14 +21,11 @@ Entity: line 1:
42 ^
43 ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
35 44
45-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
46- ^
47+
48+^
49 ./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
50-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
51- ^
52-./test/errors/759573.xml:1: parser error : StartTag: invalid element name
53-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
54- ^
55-./test/errors/759573.xml:1: parser error : Extra content at the end of the document
56-<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
57- ^
58+
59+^
60+./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
61+
62+^
36-- 63--
372.7.4 642.11.0
38 65