2 files changed, 258 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
new file mode 100644
index 0000000000..e569fbc7ab
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
@@ -0,0 +1,257 @@
+From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 30 Dec 2021 22:46:03 +0100
+Subject: [PATCH] lib: Prevent integer overflow at multiple places
+ (CVE-2022-22822 to CVE-2022-22827)
+The involved functions are:
+- addBinding (CVE-2022-22822)
+- build_model (CVE-2022-22823)
+- defineAttribute (CVE-2022-22824)
+- lookup (CVE-2022-22825)
+- nextScaffoldPart (CVE-2022-22826)
+- storeAtts (CVE-2022-22827)
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
+CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 151 insertions(+), 2 deletions(-)
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 8f243126..575e73ee 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ 
+   /* get the attributes from the tokenizer */
+   n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
+
+  /* Detect and prevent integer overflow */
+  if (n > INT_MAX - nDefaultAtts) {
+    return XML_ERROR_NO_MEMORY;
+  }
+
+   if (n + nDefaultAtts > parser->m_attsSize) {
+     int oldAttsSize = parser->m_attsSize;
+     ATTRIBUTE *temp;
+ #ifdef XML_ATTR_INFO
+     XML_AttrInfo *temp2;
+ #endif
+
+    /* Detect and prevent integer overflow */
+    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
+        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
+      return XML_ERROR_NO_MEMORY;
+    }
+
+     parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
+
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
+      parser->m_attsSize = oldAttsSize;
+      return XML_ERROR_NO_MEMORY;
+    }
+#endif
+
+     temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
+                                 parser->m_attsSize * sizeof(ATTRIBUTE));
+     if (temp == NULL) {
+@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+     }
+     parser->m_atts = temp;
+ #ifdef XML_ATTR_INFO
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#  if UINT_MAX >= SIZE_MAX
+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
+      parser->m_attsSize = oldAttsSize;
+      return XML_ERROR_NO_MEMORY;
+    }
+#  endif
+
+     temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
+                                     parser->m_attsSize * sizeof(XML_AttrInfo));
+     if (temp2 == NULL) {
+@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   tagNamePtr->prefixLen = prefixLen;
+   for (i = 0; localPart[i++];)
+     ; /* i includes null terminator */
+
+  /* Detect and prevent integer overflow */
+  if (binding->uriLen > INT_MAX - prefixLen
+      || i > INT_MAX - (binding->uriLen + prefixLen)) {
+    return XML_ERROR_NO_MEMORY;
+  }
+
+   n = i + binding->uriLen + prefixLen;
+   if (n > binding->uriAlloc) {
+     TAG *p;
+
+    /* Detect and prevent integer overflow */
+    if (n > INT_MAX - EXPAND_SPARE) {
+      return XML_ERROR_NO_MEMORY;
+    }
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+      return XML_ERROR_NO_MEMORY;
+    }
+#endif
+
+     uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (! uri)
+       return XML_ERROR_NO_MEMORY;
+@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+   if (parser->m_freeBindingList) {
+     b = parser->m_freeBindingList;
+     if (len > b->uriAlloc) {
+      /* Detect and prevent integer overflow */
+      if (len > INT_MAX - EXPAND_SPARE) {
+        return XML_ERROR_NO_MEMORY;
+      }
+
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+        return XML_ERROR_NO_MEMORY;
+      }
+#endif
+
+       XML_Char *temp = (XML_Char *)REALLOC(
+           parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
+       if (temp == NULL)
+@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     b = (BINDING *)MALLOC(parser, sizeof(BINDING));
+     if (! b)
+       return XML_ERROR_NO_MEMORY;
+
+    /* Detect and prevent integer overflow */
+    if (len > INT_MAX - EXPAND_SPARE) {
+      return XML_ERROR_NO_MEMORY;
+    }
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+      return XML_ERROR_NO_MEMORY;
+    }
+#endif
+
+     b->uri
+         = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+     if (! b->uri) {
+@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+       }
+     } else {
+       DEFAULT_ATTRIBUTE *temp;
+
+      /* Detect and prevent integer overflow */
+      if (type->allocDefaultAtts > INT_MAX / 2) {
+        return 0;
+      }
+
+       int count = type->allocDefaultAtts * 2;
+
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
+        return 0;
+      }
+#endif
+
+       temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
+                                           (count * sizeof(DEFAULT_ATTRIBUTE)));
+       if (temp == NULL)
+@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+     /* check for overflow (table is half full) */
+     if (table->used >> (table->power - 1)) {
+       unsigned char newPower = table->power + 1;
+
+      /* Detect and prevent invalid shift */
+      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
+        return NULL;
+      }
+
+       size_t newSize = (size_t)1 << newPower;
+       unsigned long newMask = (unsigned long)newSize - 1;
+
+      /* Detect and prevent integer overflow */
+      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
+        return NULL;
+      }
+
+       size_t tsize = newSize * sizeof(NAMED *);
+       NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
+       if (! newV)
+@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
+   if (dtd->scaffCount >= dtd->scaffSize) {
+     CONTENT_SCAFFOLD *temp;
+     if (dtd->scaffold) {
+      /* Detect and prevent integer overflow */
+      if (dtd->scaffSize > UINT_MAX / 2u) {
+        return -1;
+      }
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
+        return -1;
+      }
+#endif
+
+       temp = (CONTENT_SCAFFOLD *)REALLOC(
+           parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
+   XML_Content *ret;
+   XML_Content *cpos;
+   XML_Char *str;
+-  int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+-                   + (dtd->contentStringLen * sizeof(XML_Char)));
+
+  /* Detect and prevent integer overflow.
+   * The preprocessor guard addresses the "always false" warning
+   * from -Wtype-limits on platforms where
+   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
+    return NULL;
+  }
+  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
+    return NULL;
+  }
+#endif
+  if (dtd->scaffCount * sizeof(XML_Content)
+      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
+    return NULL;
+  }
+
+  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+                            + (dtd->contentStringLen * sizeof(XML_Char)));
+ 
+   ret = (XML_Content *)MALLOC(parser, allocsize);
+   if (! ret)
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index 4b63ec89db..7740d95db5 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79"
 SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
           file://CVE-2013-0340.patch \
+           file://CVE-2022-22822-27.patch \
           file://libtool-tag.patch \
         "

diff --git a/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch new file mode 100644 index 0000000000..e569fbc7ab --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
@@ -0,0 +1,257 @@
		1	From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
		2	From: Sebastian Pipping <sebastian@pipping.org>
		3	Date: Thu, 30 Dec 2021 22:46:03 +0100
		4	Subject: [PATCH] lib: Prevent integer overflow at multiple places
		5	(CVE-2022-22822 to CVE-2022-22827)
		6
		7	The involved functions are:
		8	- addBinding (CVE-2022-22822)
		9	- build_model (CVE-2022-22823)
		10	- defineAttribute (CVE-2022-22824)
		11	- lookup (CVE-2022-22825)
		12	- nextScaffoldPart (CVE-2022-22826)
		13	- storeAtts (CVE-2022-22827)
		14
		15	Upstream-Status: Backport:
		16	https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
		17
		18	CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
		19	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		20
		21	---
		22	expat/lib/xmlparse.c \| 153 ++++++++++++++++++++++++++++++++++++++++++-
		23	1 file changed, 151 insertions(+), 2 deletions(-)
		24
		25	diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
		26	index 8f243126..575e73ee 100644
		27	--- a/lib/xmlparse.c
		28	+++ b/lib/xmlparse.c
		29	@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING enc, const char attStr,
		30
		31	/* get the attributes from the tokenizer */
		32	n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
		33	+
		34	+ /* Detect and prevent integer overflow */
		35	+ if (n > INT_MAX - nDefaultAtts) {
		36	+ return XML_ERROR_NO_MEMORY;
		37	+ }
		38	+
		39	if (n + nDefaultAtts > parser->m_attsSize) {
		40	int oldAttsSize = parser->m_attsSize;
		41	ATTRIBUTE *temp;
		42	#ifdef XML_ATTR_INFO
		43	XML_AttrInfo *temp2;
		44	#endif
		45	+
		46	+ /* Detect and prevent integer overflow */
		47	+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
		48	+ \|\| (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
		49	+ return XML_ERROR_NO_MEMORY;
		50	+ }
		51	+
		52	parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
		53	+
		54	+ /* Detect and prevent integer overflow.
		55	+ * The preprocessor guard addresses the "always false" warning
		56	+ * from -Wtype-limits on platforms where
		57	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		58	+#if UINT_MAX >= SIZE_MAX
		59	+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
		60	+ parser->m_attsSize = oldAttsSize;
		61	+ return XML_ERROR_NO_MEMORY;
		62	+ }
		63	+#endif
		64	+
		65	temp = (ATTRIBUTE )REALLOC(parser, (void )parser->m_atts,
		66	parser->m_attsSize * sizeof(ATTRIBUTE));
		67	if (temp == NULL) {
		68	@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING enc, const char attStr,
		69	}
		70	parser->m_atts = temp;
		71	#ifdef XML_ATTR_INFO
		72	+ /* Detect and prevent integer overflow.
		73	+ * The preprocessor guard addresses the "always false" warning
		74	+ * from -Wtype-limits on platforms where
		75	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		76	+# if UINT_MAX >= SIZE_MAX
		77	+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
		78	+ parser->m_attsSize = oldAttsSize;
		79	+ return XML_ERROR_NO_MEMORY;
		80	+ }
		81	+# endif
		82	+
		83	temp2 = (XML_AttrInfo )REALLOC(parser, (void )parser->m_attInfo,
		84	parser->m_attsSize * sizeof(XML_AttrInfo));
		85	if (temp2 == NULL) {
		86	@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING enc, const char attStr,
		87	tagNamePtr->prefixLen = prefixLen;
		88	for (i = 0; localPart[i++];)
		89	; /* i includes null terminator */
		90	+
		91	+ /* Detect and prevent integer overflow */
		92	+ if (binding->uriLen > INT_MAX - prefixLen
		93	+ \|\| i > INT_MAX - (binding->uriLen + prefixLen)) {
		94	+ return XML_ERROR_NO_MEMORY;
		95	+ }
		96	+
		97	n = i + binding->uriLen + prefixLen;
		98	if (n > binding->uriAlloc) {
		99	TAG *p;
		100	+
		101	+ /* Detect and prevent integer overflow */
		102	+ if (n > INT_MAX - EXPAND_SPARE) {
		103	+ return XML_ERROR_NO_MEMORY;
		104	+ }
		105	+ /* Detect and prevent integer overflow.
		106	+ * The preprocessor guard addresses the "always false" warning
		107	+ * from -Wtype-limits on platforms where
		108	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		109	+#if UINT_MAX >= SIZE_MAX
		110	+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
		111	+ return XML_ERROR_NO_MEMORY;
		112	+ }
		113	+#endif
		114	+
		115	uri = (XML_Char )MALLOC(parser, (n + EXPAND_SPARE) sizeof(XML_Char));
		116	if (! uri)
		117	return XML_ERROR_NO_MEMORY;
		118	@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX prefix, const ATTRIBUTE_ID attId,
		119	if (parser->m_freeBindingList) {
		120	b = parser->m_freeBindingList;
		121	if (len > b->uriAlloc) {
		122	+ /* Detect and prevent integer overflow */
		123	+ if (len > INT_MAX - EXPAND_SPARE) {
		124	+ return XML_ERROR_NO_MEMORY;
		125	+ }
		126	+
		127	+ /* Detect and prevent integer overflow.
		128	+ * The preprocessor guard addresses the "always false" warning
		129	+ * from -Wtype-limits on platforms where
		130	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		131	+#if UINT_MAX >= SIZE_MAX
		132	+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
		133	+ return XML_ERROR_NO_MEMORY;
		134	+ }
		135	+#endif
		136	+
		137	XML_Char temp = (XML_Char )REALLOC(
		138	parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
		139	if (temp == NULL)
		140	@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX prefix, const ATTRIBUTE_ID attId,
		141	b = (BINDING *)MALLOC(parser, sizeof(BINDING));
		142	if (! b)
		143	return XML_ERROR_NO_MEMORY;
		144	+
		145	+ /* Detect and prevent integer overflow */
		146	+ if (len > INT_MAX - EXPAND_SPARE) {
		147	+ return XML_ERROR_NO_MEMORY;
		148	+ }
		149	+ /* Detect and prevent integer overflow.
		150	+ * The preprocessor guard addresses the "always false" warning
		151	+ * from -Wtype-limits on platforms where
		152	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		153	+#if UINT_MAX >= SIZE_MAX
		154	+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
		155	+ return XML_ERROR_NO_MEMORY;
		156	+ }
		157	+#endif
		158	+
		159	b->uri
		160	= (XML_Char )MALLOC(parser, sizeof(XML_Char) (len + EXPAND_SPARE));
		161	if (! b->uri) {
		162	@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE type, ATTRIBUTE_ID attId, XML_Bool isCdata,
		163	}
		164	} else {
		165	DEFAULT_ATTRIBUTE *temp;
		166	+
		167	+ /* Detect and prevent integer overflow */
		168	+ if (type->allocDefaultAtts > INT_MAX / 2) {
		169	+ return 0;
		170	+ }
		171	+
		172	int count = type->allocDefaultAtts * 2;
		173	+
		174	+ /* Detect and prevent integer overflow.
		175	+ * The preprocessor guard addresses the "always false" warning
		176	+ * from -Wtype-limits on platforms where
		177	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		178	+#if UINT_MAX >= SIZE_MAX
		179	+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
		180	+ return 0;
		181	+ }
		182	+#endif
		183	+
		184	temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
		185	(count * sizeof(DEFAULT_ATTRIBUTE)));
		186	if (temp == NULL)
		187	@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
		188	/* check for overflow (table is half full) */
		189	if (table->used >> (table->power - 1)) {
		190	unsigned char newPower = table->power + 1;
		191	+
		192	+ /* Detect and prevent invalid shift */
		193	+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
		194	+ return NULL;
		195	+ }
		196	+
		197	size_t newSize = (size_t)1 << newPower;
		198	unsigned long newMask = (unsigned long)newSize - 1;
		199	+
		200	+ /* Detect and prevent integer overflow */
		201	+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
		202	+ return NULL;
		203	+ }
		204	+
		205	size_t tsize = newSize * sizeof(NAMED *);
		206	NAMED newV = (NAMED )table->mem->malloc_fcn(tsize);
		207	if (! newV)
		208	@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
		209	if (dtd->scaffCount >= dtd->scaffSize) {
		210	CONTENT_SCAFFOLD *temp;
		211	if (dtd->scaffold) {
		212	+ /* Detect and prevent integer overflow */
		213	+ if (dtd->scaffSize > UINT_MAX / 2u) {
		214	+ return -1;
		215	+ }
		216	+ /* Detect and prevent integer overflow.
		217	+ * The preprocessor guard addresses the "always false" warning
		218	+ * from -Wtype-limits on platforms where
		219	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		220	+#if UINT_MAX >= SIZE_MAX
		221	+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
		222	+ return -1;
		223	+ }
		224	+#endif
		225	+
		226	temp = (CONTENT_SCAFFOLD *)REALLOC(
		227	parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
		228	if (temp == NULL)
		229	@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
		230	XML_Content *ret;
		231	XML_Content *cpos;
		232	XML_Char *str;
		233	- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
		234	- + (dtd->contentStringLen * sizeof(XML_Char)));
		235	+
		236	+ /* Detect and prevent integer overflow.
		237	+ * The preprocessor guard addresses the "always false" warning
		238	+ * from -Wtype-limits on platforms where
		239	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		240	+#if UINT_MAX >= SIZE_MAX
		241	+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
		242	+ return NULL;
		243	+ }
		244	+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
		245	+ return NULL;
		246	+ }
		247	+#endif
		248	+ if (dtd->scaffCount * sizeof(XML_Content)
		249	+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
		250	+ return NULL;
		251	+ }
		252	+
		253	+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
		254	+ + (dtd->contentStringLen * sizeof(XML_Char)));
		255
		256	ret = (XML_Content *)MALLOC(parser, allocsize);
		257	if (! ret)


diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index 4b63ec89db..7740d95db5 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79"
8		8
9	SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \	9	SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
10	file://CVE-2013-0340.patch \	10	file://CVE-2013-0340.patch \
		11	file://CVE-2022-22822-27.patch \
11	file://libtool-tag.patch \	12	file://libtool-tag.patch \
12	"	13	"
13		14