1 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
new file mode 100644
index 0000000000..0ed527ad20
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
@@ -0,0 +1,143 @@
+From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Wed, 2 Mar 2016 15:52:24 -0800
+Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+For https://bugzilla.gnome.org/show_bug.cgi?id=760263
+* HTMLparser.c: Add BASE_PTR convenience macro.
+(htmlParseSystemLiteral): Store length and start position instead
+of a pointer while iterating through the public identifier since
+the underlying buffer may change, resulting in a stale pointer
+being used.
+(htmlParsePubidLiteral): Ditto.
+Upstream-status: Backport
+CVE: CVE-2016-1837.patch
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
+++ libxml2-2.9.2/HTMLparser.c
+@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
+ #define UPP(val) (toupper(ctxt->input->cur[(val)]))
+ 
+ #define CUR_PTR ctxt->input->cur
+#define BASE_PTR ctxt->input->base
+ 
+ #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
+                   (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
+@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
+ 
+ static xmlChar *
+ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
+    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+ 
+     if (CUR == '"') {
+         NEXT;
+-       q = CUR_PTR;
+-       while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+       while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
+            NEXT;
+           len++;
+       }
+        if (!IS_CHAR_CH(CUR)) {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished SystemLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR+startPosition), len);
+            NEXT;
+         }
+     } else if (CUR == '\'') {
+         NEXT;
+-       q = CUR_PTR;
+-       while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+       while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
+            NEXT;
+           len++;
+       }
+        if (!IS_CHAR_CH(CUR)) {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished SystemLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR+startPosition), len);
+            NEXT;
+         }
+     } else {
+@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
+ 
+ static xmlChar *
+ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
+    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+     /*
+      * Name ::= (Letter | '_') (NameChar)*
+      */
+     if (CUR == '"') {
+         NEXT;
+-       q = CUR_PTR;
+-       while (IS_PUBIDCHAR_CH(CUR)) NEXT;
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+        while (IS_PUBIDCHAR_CH(CUR)) {
+            len++;
+            NEXT;
+        }
+
+        if (CUR != '"') {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished PubidLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR + startPosition), len);
+            NEXT;
+        }
+     } else if (CUR == '\'') {
+         NEXT;
+-       q = CUR_PTR;
+-       while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
+-           NEXT;
+
+        if (CUR_PTR < BASE_PTR)
+            return(ret);
+        startPosition = CUR_PTR - BASE_PTR;
+
+        while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
+            len++;
+            NEXT;
+        }
+
+        if (CUR != '\'') {
+            htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+                         "Unfinished PubidLiteral\n", NULL, NULL);
+        } else {
+-           ret = xmlStrndup(q, CUR_PTR - q);
+           ret = xmlStrndup((BASE_PTR + startPosition), len);
+            NEXT;
+        }
+     } else {

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch new file mode 100644 index 0000000000..0ed527ad20 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
@@ -0,0 +1,143 @@
	1	From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
	2	From: Pranjal Jumde <pjumde@apple.com>
	3	Date: Wed, 2 Mar 2016 15:52:24 -0800
	4	Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
	5	htmlParseSystemiteral
	6
	7	For https://bugzilla.gnome.org/show_bug.cgi?id=760263
	8
	9	* HTMLparser.c: Add BASE_PTR convenience macro.
	10	(htmlParseSystemLiteral): Store length and start position instead
	11	of a pointer while iterating through the public identifier since
	12	the underlying buffer may change, resulting in a stale pointer
	13	being used.
	14	(htmlParsePubidLiteral): Ditto.
	15
	16	Upstream-status: Backport
	17	CVE: CVE-2016-1837.patch
	18
	19	Signed-off-by: Armin Kuster <akuster@mvista.com>
	20
	21	---
	22	HTMLparser.c \| 58 +++++++++++++++++++++++++++++++++++++++++++---------------
	23	1 file changed, 43 insertions(+), 15 deletions(-)
	24
	25	Index: libxml2-2.9.2/HTMLparser.c
	26	===================================================================
	27	--- libxml2-2.9.2.orig/HTMLparser.c
	28	+++ libxml2-2.9.2/HTMLparser.c
	29	@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
	30	#define UPP(val) (toupper(ctxt->input->cur[(val)]))
	31
	32	#define CUR_PTR ctxt->input->cur
	33	+#define BASE_PTR ctxt->input->base
	34
	35	#define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
	36	(ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
	37	@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
	38
	39	static xmlChar *
	40	htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
	41	- const xmlChar *q;
	42	+ size_t len = 0, startPosition = 0;
	43	xmlChar *ret = NULL;
	44
	45	if (CUR == '"') {
	46	NEXT;
	47	- q = CUR_PTR;
	48	- while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
	49	+
	50	+ if (CUR_PTR < BASE_PTR)
	51	+ return(ret);
	52	+ startPosition = CUR_PTR - BASE_PTR;
	53	+
	54	+ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
	55	NEXT;
	56	+ len++;
	57	+ }
	58	if (!IS_CHAR_CH(CUR)) {
	59	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
	60	"Unfinished SystemLiteral\n", NULL, NULL);
	61	} else {
	62	- ret = xmlStrndup(q, CUR_PTR - q);
	63	+ ret = xmlStrndup((BASE_PTR+startPosition), len);
	64	NEXT;
	65	}
	66	} else if (CUR == '\'') {
	67	NEXT;
	68	- q = CUR_PTR;
	69	- while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
	70	+
	71	+ if (CUR_PTR < BASE_PTR)
	72	+ return(ret);
	73	+ startPosition = CUR_PTR - BASE_PTR;
	74	+
	75	+ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
	76	NEXT;
	77	+ len++;
	78	+ }
	79	if (!IS_CHAR_CH(CUR)) {
	80	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
	81	"Unfinished SystemLiteral\n", NULL, NULL);
	82	} else {
	83	- ret = xmlStrndup(q, CUR_PTR - q);
	84	+ ret = xmlStrndup((BASE_PTR+startPosition), len);
	85	NEXT;
	86	}
	87	} else {
	88	@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
	89
	90	static xmlChar *
	91	htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
	92	- const xmlChar *q;
	93	+ size_t len = 0, startPosition = 0;
	94	xmlChar *ret = NULL;
	95	/*
	96	* Name ::= (Letter \| '_') (NameChar)*
	97	*/
	98	if (CUR == '"') {
	99	NEXT;
	100	- q = CUR_PTR;
	101	- while (IS_PUBIDCHAR_CH(CUR)) NEXT;
	102	+
	103	+ if (CUR_PTR < BASE_PTR)
	104	+ return(ret);
	105	+ startPosition = CUR_PTR - BASE_PTR;
	106	+
	107	+ while (IS_PUBIDCHAR_CH(CUR)) {
	108	+ len++;
	109	+ NEXT;
	110	+ }
	111	+
	112	if (CUR != '"') {
	113	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
	114	"Unfinished PubidLiteral\n", NULL, NULL);
	115	} else {
	116	- ret = xmlStrndup(q, CUR_PTR - q);
	117	+ ret = xmlStrndup((BASE_PTR + startPosition), len);
	118	NEXT;
	119	}
	120	} else if (CUR == '\'') {
	121	NEXT;
	122	- q = CUR_PTR;
	123	- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
	124	- NEXT;
	125	+
	126	+ if (CUR_PTR < BASE_PTR)
	127	+ return(ret);
	128	+ startPosition = CUR_PTR - BASE_PTR;
	129	+
	130	+ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
	131	+ len++;
	132	+ NEXT;
	133	+ }
	134	+
	135	if (CUR != '\'') {
	136	htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
	137	"Unfinished PubidLiteral\n", NULL, NULL);
	138	} else {
	139	- ret = xmlStrndup(q, CUR_PTR - q);
	140	+ ret = xmlStrndup((BASE_PTR + startPosition), len);
	141	NEXT;
	142	}
	143	} else {