1 files changed, 131 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 0000000000..b4860791bf
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
+From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+This slightly modifies the output of 754946 in regression tests
+Upstream-Status: Backport
+CVE-2015-7500
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c                     | 28 ++++++++++++++++++++++------
+ result/errors/754946.xml.err |  7 +++++--
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+diff --git a/parser.c b/parser.c
+index c7e4574..c5741e3 100644
+--- a/parser.c
+++ b/parser.c
+@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+     const xmlChar **atts = ctxt->atts;
+     int maxatts = ctxt->maxatts;
+     int nratts, nbatts, nbdef;
+-    int i, j, nbNs, attval, oldline, oldcol;
+    int i, j, nbNs, attval, oldline, oldcol, inputNr;
+     const xmlChar *base;
+     unsigned long cur;
+     int nsNr = ctxt->nsNr;
+@@ -9367,6 +9367,7 @@ reparse:
+     SHRINK;
+     base = ctxt->input->base;
+     cur = ctxt->input->cur - ctxt->input->base;
+    inputNr = ctxt->inputNr;
+     oldline = ctxt->input->line;
+     oldcol = ctxt->input->col;
+     nbatts = 0;
+@@ -9392,7 +9393,8 @@ reparse:
+      */
+     SKIP_BLANKS;
+     GROW;
+-    if (ctxt->input->base != base) goto base_changed;
+    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+        goto base_changed;
+ 
+     while (((RAW != '>') &&
+           ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9403,7 +9405,7 @@ reparse:
+ 
+        attname = xmlParseAttribute2(ctxt, prefix, localname,
+                                     &aprefix, &attvalue, &len, &alloc);
+-       if (ctxt->input->base != base) {
+       if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+            if ((attvalue != NULL) && (alloc != 0))
+                xmlFree(attvalue);
+            attvalue = NULL;
+@@ -9552,7 +9554,8 @@ skip_ns:
+                    break;
+                }
+                SKIP_BLANKS;
+-               if (ctxt->input->base != base) goto base_changed;
+               if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+                   goto base_changed;
+                continue;
+            }
+ 
+@@ -9589,7 +9592,8 @@ failed:
+        GROW
+         if (ctxt->instate == XML_PARSER_EOF)
+             break;
+-       if (ctxt->input->base != base) goto base_changed;
+       if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+           goto base_changed;
+        if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+            break;
+        if (!IS_BLANK_CH(RAW)) {
+@@ -9605,7 +9609,8 @@ failed:
+            break;
+        }
+         GROW;
+-       if (ctxt->input->base != base) goto base_changed;
+       if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+           goto base_changed;
+     }
+ 
+     /*
+@@ -9772,6 +9777,17 @@ base_changed:
+            if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+                xmlFree((xmlChar *) atts[i]);
+     }
+
+    /*
+     * We can't switch from one entity to another in the middle
+     * of a start tag
+     */
+    if (inputNr != ctxt->inputNr) {
+        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+                   "Start tag doesn't start and stop in the same entity\n");
+       return(NULL);
+    }
+
+     ctxt->input->cur = ctxt->input->base + cur;
+     ctxt->input->line = oldline;
+     ctxt->input->col = oldcol;
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+index 423dff5..a75088b 100644
+--- a/result/errors/754946.xml.err
+++ b/result/errors/754946.xml.err
+@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
+ Entity: line 1: 
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
+>%SYSTEM;<![
+         ^
+ ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+-<!DOCTYPEA[<!ENTITY %
+-  ^
+>%SYSTEM;<![
+         ^
+-- 
+2.3.5

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch new file mode 100644 index 0000000000..b4860791bf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
	1	From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
	2	From: Daniel Veillard <veillard@redhat.com>
	3	Date: Fri, 20 Nov 2015 16:06:59 +0800
	4	Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
	5	entities boundaries
	6
	7	For https://bugzilla.gnome.org/show_bug.cgi?id=756525
	8	handle properly the case where we popped out of the current entity
	9	while processing a start tag
	10	Reported by Kostya Serebryany @ Google
	11
	12	This slightly modifies the output of 754946 in regression tests
	13
	14	Upstream-Status: Backport
	15
	16	CVE-2015-7500
	17
	18	Signed-off-by: Armin Kuster <akuster@mvista.com>
	19
	20	---
	21	parser.c \| 28 ++++++++++++++++++++++------
	22	result/errors/754946.xml.err \| 7 +++++--
	23	2 files changed, 27 insertions(+), 8 deletions(-)
	24
	25	diff --git a/parser.c b/parser.c
	26	index c7e4574..c5741e3 100644
	27	--- a/parser.c
	28	+++ b/parser.c
	29	@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
	30	const xmlChar **atts = ctxt->atts;
	31	int maxatts = ctxt->maxatts;
	32	int nratts, nbatts, nbdef;
	33	- int i, j, nbNs, attval, oldline, oldcol;
	34	+ int i, j, nbNs, attval, oldline, oldcol, inputNr;
	35	const xmlChar *base;
	36	unsigned long cur;
	37	int nsNr = ctxt->nsNr;
	38	@@ -9367,6 +9367,7 @@ reparse:
	39	SHRINK;
	40	base = ctxt->input->base;
	41	cur = ctxt->input->cur - ctxt->input->base;
	42	+ inputNr = ctxt->inputNr;
	43	oldline = ctxt->input->line;
	44	oldcol = ctxt->input->col;
	45	nbatts = 0;
	46	@@ -9392,7 +9393,8 @@ reparse:
	47	*/
	48	SKIP_BLANKS;
	49	GROW;
	50	- if (ctxt->input->base != base) goto base_changed;
	51	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
	52	+ goto base_changed;
	53
	54	while (((RAW != '>') &&
	55	((RAW != '/') \|\| (NXT(1) != '>')) &&
	56	@@ -9403,7 +9405,7 @@ reparse:
	57
	58	attname = xmlParseAttribute2(ctxt, prefix, localname,
	59	&aprefix, &attvalue, &len, &alloc);
	60	- if (ctxt->input->base != base) {
	61	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr)) {
	62	if ((attvalue != NULL) && (alloc != 0))
	63	xmlFree(attvalue);
	64	attvalue = NULL;
	65	@@ -9552,7 +9554,8 @@ skip_ns:
	66	break;
	67	}
	68	SKIP_BLANKS;
	69	- if (ctxt->input->base != base) goto base_changed;
	70	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
	71	+ goto base_changed;
	72	continue;
	73	}
	74
	75	@@ -9589,7 +9592,8 @@ failed:
	76	GROW
	77	if (ctxt->instate == XML_PARSER_EOF)
	78	break;
	79	- if (ctxt->input->base != base) goto base_changed;
	80	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
	81	+ goto base_changed;
	82	if ((RAW == '>') \|\| (((RAW == '/') && (NXT(1) == '>'))))
	83	break;
	84	if (!IS_BLANK_CH(RAW)) {
	85	@@ -9605,7 +9609,8 @@ failed:
	86	break;
	87	}
	88	GROW;
	89	- if (ctxt->input->base != base) goto base_changed;
	90	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
	91	+ goto base_changed;
	92	}
	93
	94	/*
	95	@@ -9772,6 +9777,17 @@ base_changed:
	96	if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
	97	xmlFree((xmlChar *) atts[i]);
	98	}
	99	+
	100	+ /*
	101	+ * We can't switch from one entity to another in the middle
	102	+ * of a start tag
	103	+ */
	104	+ if (inputNr != ctxt->inputNr) {
	105	+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
	106	+ "Start tag doesn't start and stop in the same entity\n");
	107	+ return(NULL);
	108	+ }
	109	+
	110	ctxt->input->cur = ctxt->input->base + cur;
	111	ctxt->input->line = oldline;
	112	ctxt->input->col = oldcol;
	113	diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
	114	index 423dff5..a75088b 100644
	115	--- a/result/errors/754946.xml.err
	116	+++ b/result/errors/754946.xml.err
	117	@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
	118	Entity: line 1:
	119	A<lbbbbbbbbbbbbbbbbbbb_
	120	^
	121	+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
	122	+>%SYSTEM;<![
	123	+ ^
	124	./test/errors/754946.xml:1: parser error : Extra content at the end of the document
	125	-<!DOCTYPEA[<!ENTITY %
	126	- ^
	127	+>%SYSTEM;<![
	128	+ ^
	129	--
	130	2.3.5
	131