2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
new file mode 100644
index 0000000000..41de9f80d8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
@@ -0,0 +1,37 @@
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error.  Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+Upstream-Status: Backport
+CVE: CVE-2016-1840
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+Index: libxml2-2.9.2/xmlregexp.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlregexp.c
+++ libxml2-2.9.2/xmlregexp.c
+@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
+        ERROR("Expecting the end of a char range");
+        return;
+     }
+-    NEXTL(len);
+
+     /* TODO check that the values are acceptable character ranges for XML */
+     if (end < start) {
+        ERROR("End of range is before start of range");
+     } else {
+        NEXTL(len);
+         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+                           XML_REGEXP_CHARVAL, start, end, NULL);
+     }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 41cba644fe..563661b1fd 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
            file://CVE-2016-3705.patch \
            file://CVE-2016-1834.patch \
            file://CVE-2016-4483.patch \
+            file://CVE-2016-1840.patch \
    "
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch new file mode 100644 index 0000000000..41de9f80d8 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
@@ -0,0 +1,37 @@
		1	From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
		2	From: Pranjal Jumde <pjumde@apple.com>
		3	Date: Mon, 7 Mar 2016 06:34:26 -0800
		4	Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
		5	<https://bugzilla.gnome.org/show_bug.cgi?id=757711>
		6
		7	* xmlregexp.c:
		8	(xmlFAParseCharRange): Only advance to the next character if
		9	there is no error. Advancing to the next character in case of
		10	an error while parsing regexp leads to an out of bounds access.
		11
		12	Upstream-Status: Backport
		13	CVE: CVE-2016-1840
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	xmlregexp.c \| 3 ++-
		18	1 file changed, 2 insertions(+), 1 deletion(-)
		19
		20	Index: libxml2-2.9.2/xmlregexp.c
		21	===================================================================
		22	--- libxml2-2.9.2.orig/xmlregexp.c
		23	+++ libxml2-2.9.2/xmlregexp.c
		24	@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
		25	ERROR("Expecting the end of a char range");
		26	return;
		27	}
		28	- NEXTL(len);
		29	+
		30	/* TODO check that the values are acceptable character ranges for XML */
		31	if (end < start) {
		32	ERROR("End of range is before start of range");
		33	} else {
		34	+ NEXTL(len);
		35	xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
		36	XML_REGEXP_CHARVAL, start, end, NULL);
		37	}


diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index 41cba644fe..563661b1fd 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
8	file://CVE-2016-3705.patch \	8	file://CVE-2016-3705.patch \
9	file://CVE-2016-1834.patch \	9	file://CVE-2016-1834.patch \
10	file://CVE-2016-4483.patch \	10	file://CVE-2016-4483.patch \
		11	file://CVE-2016-1840.patch \
11	"	12	"
12		13
13	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"	14	SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"