1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2021-46143.patch b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
new file mode 100644
index 0000000000..b1a726d9a8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
@@ -0,0 +1,49 @@
+From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 25 Dec 2021 20:52:08 +0100
+Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
+ doProlog (CVE-2021-46143)
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
+CVE: CVE-2021-46143
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ expat/lib/xmlparse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index b47c31b0..8f243126 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (parser->m_prologState.level >= parser->m_groupSize) {
+         if (parser->m_groupSize) {
+           {
+            /* Detect and prevent integer overflow */
+            if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
+              return XML_ERROR_NO_MEMORY;
+            }
+
+             char *const new_connector = (char *)REALLOC(
+                 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
+             if (new_connector == NULL) {
+@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+           }
+ 
+           if (dtd->scaffIndex) {
+            /* Detect and prevent integer overflow.
+             * The preprocessor guard addresses the "always false" warning
+             * from -Wtype-limits on platforms where
+             * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+            if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
+              return XML_ERROR_NO_MEMORY;
+            }
+#endif
+
+             int *const new_scaff_index = (int *)REALLOC(
+                 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
+             if (new_scaff_index == NULL)

diff --git a/meta/recipes-core/expat/expat/CVE-2021-46143.patch b/meta/recipes-core/expat/expat/CVE-2021-46143.patch new file mode 100644 index 0000000000..b1a726d9a8 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
@@ -0,0 +1,49 @@
	1	From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
	2	From: Sebastian Pipping <sebastian@pipping.org>
	3	Date: Sat, 25 Dec 2021 20:52:08 +0100
	4	Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
	5	doProlog (CVE-2021-46143)
	6
	7	Upstream-Status: Backport:
	8	https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
	9
	10	CVE: CVE-2021-46143
	11
	12	Signed-off-by: Steve Sakoman <steve@sakoman.com>
	13	---
	14	expat/lib/xmlparse.c \| 15 +++++++++++++++
	15	1 file changed, 15 insertions(+)
	16
	17	diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
	18	index b47c31b0..8f243126 100644
	19	--- a/lib/xmlparse.c
	20	+++ b/lib/xmlparse.c
	21	@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING enc, const char s, const char *end,
	22	if (parser->m_prologState.level >= parser->m_groupSize) {
	23	if (parser->m_groupSize) {
	24	{
	25	+ /* Detect and prevent integer overflow */
	26	+ if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
	27	+ return XML_ERROR_NO_MEMORY;
	28	+ }
	29	+
	30	char const new_connector = (char )REALLOC(
	31	parser, parser->m_groupConnector, parser->m_groupSize *= 2);
	32	if (new_connector == NULL) {
	33	@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING enc, const char s, const char *end,
	34	}
	35
	36	if (dtd->scaffIndex) {
	37	+ /* Detect and prevent integer overflow.
	38	+ * The preprocessor guard addresses the "always false" warning
	39	+ * from -Wtype-limits on platforms where
	40	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
	41	+#if UINT_MAX >= SIZE_MAX
	42	+ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
	43	+ return XML_ERROR_NO_MEMORY;
	44	+ }
	45	+#endif
	46	+
	47	int const new_scaff_index = (int )REALLOC(
	48	parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
	49	if (new_scaff_index == NULL)