diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch | 208 |
1 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch new file mode 100644 index 0000000000..bfea8fde55 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch | |||
@@ -0,0 +1,208 @@ | |||
1 | From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001 | ||
2 | From: David Kilzer <ddkilzer@apple.com> | ||
3 | Date: Mon, 23 May 2016 14:58:41 +0800 | ||
4 | Subject: [PATCH] More format string warnings with possible format string | ||
5 | vulnerability | ||
6 | |||
7 | For https://bugzilla.gnome.org/show_bug.cgi?id=761029 | ||
8 | |||
9 | adds a new xmlEscapeFormatString() function to escape composed format | ||
10 | strings | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2016-4448 patch #2 | ||
14 | |||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | libxml.h | 3 +++ | ||
19 | relaxng.c | 3 ++- | ||
20 | xmlschemas.c | 39 ++++++++++++++++++++++++++------------- | ||
21 | xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
22 | 4 files changed, 86 insertions(+), 14 deletions(-) | ||
23 | |||
24 | Index: libxml2-2.9.2/libxml.h | ||
25 | =================================================================== | ||
26 | --- libxml2-2.9.2.orig/libxml.h | ||
27 | +++ libxml2-2.9.2/libxml.h | ||
28 | @@ -9,6 +9,8 @@ | ||
29 | #ifndef __XML_LIBXML_H__ | ||
30 | #define __XML_LIBXML_H__ | ||
31 | |||
32 | +#include <libxml/xmlstring.h> | ||
33 | + | ||
34 | #ifndef NO_LARGEFILE_SOURCE | ||
35 | #ifndef _LARGEFILE_SOURCE | ||
36 | #define _LARGEFILE_SOURCE | ||
37 | @@ -96,6 +98,7 @@ int __xmlInitializeDict(void); | ||
38 | int __xmlRandom(void); | ||
39 | #endif | ||
40 | |||
41 | +XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); | ||
42 | int xmlNop(void); | ||
43 | |||
44 | #ifdef IN_LIBXML | ||
45 | Index: libxml2-2.9.2/relaxng.c | ||
46 | =================================================================== | ||
47 | --- libxml2-2.9.2.orig/relaxng.c | ||
48 | +++ libxml2-2.9.2/relaxng.c | ||
49 | @@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid | ||
50 | snprintf(msg, 1000, "Unknown error code %d\n", err); | ||
51 | } | ||
52 | msg[1000 - 1] = 0; | ||
53 | - return (xmlStrdup((xmlChar *) msg)); | ||
54 | + xmlChar *result = xmlCharStrdup(msg); | ||
55 | + return (xmlEscapeFormatString(&result)); | ||
56 | } | ||
57 | |||
58 | /** | ||
59 | Index: libxml2-2.9.2/xmlschemas.c | ||
60 | =================================================================== | ||
61 | --- libxml2-2.9.2.orig/xmlschemas.c | ||
62 | +++ libxml2-2.9.2/xmlschemas.c | ||
63 | @@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b | ||
64 | } | ||
65 | FREE_AND_NULL(str) | ||
66 | |||
67 | - return (*buf); | ||
68 | + return (xmlEscapeFormatString(buf)); | ||
69 | } | ||
70 | |||
71 | /** | ||
72 | @@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m | ||
73 | TODO | ||
74 | return (NULL); | ||
75 | } | ||
76 | + | ||
77 | + /* | ||
78 | + * xmlSchemaFormatItemForReport() also returns an escaped format | ||
79 | + * string, so do this before calling it below (in the future). | ||
80 | + */ | ||
81 | + xmlEscapeFormatString(msg); | ||
82 | + | ||
83 | /* | ||
84 | * VAL TODO: The output of the given schema component is currently | ||
85 | * disabled. | ||
86 | @@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract | ||
87 | msg = xmlStrcat(msg, BAD_CAST " '"); | ||
88 | if (type->builtInType != 0) { | ||
89 | msg = xmlStrcat(msg, BAD_CAST "xs:"); | ||
90 | - msg = xmlStrcat(msg, type->name); | ||
91 | - } else | ||
92 | - msg = xmlStrcat(msg, | ||
93 | - xmlSchemaFormatQName(&str, | ||
94 | - type->targetNamespace, type->name)); | ||
95 | + str = xmlStrdup(type->name); | ||
96 | + } else { | ||
97 | + const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); | ||
98 | + if (!str) | ||
99 | + str = xmlStrdup(qName); | ||
100 | + } | ||
101 | + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); | ||
102 | msg = xmlStrcat(msg, BAD_CAST "'"); | ||
103 | FREE_AND_NULL(str); | ||
104 | } | ||
105 | @@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac | ||
106 | str = xmlStrcat(str, BAD_CAST ", "); | ||
107 | } | ||
108 | str = xmlStrcat(str, BAD_CAST " ).\n"); | ||
109 | - msg = xmlStrcat(msg, BAD_CAST str); | ||
110 | + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); | ||
111 | FREE_AND_NULL(str) | ||
112 | } else | ||
113 | msg = xmlStrcat(msg, BAD_CAST "\n"); | ||
114 | @@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC | ||
115 | msg = xmlStrcat(msg, BAD_CAST " '"); | ||
116 | if (type->builtInType != 0) { | ||
117 | msg = xmlStrcat(msg, BAD_CAST "xs:"); | ||
118 | - msg = xmlStrcat(msg, type->name); | ||
119 | - } else | ||
120 | - msg = xmlStrcat(msg, | ||
121 | - xmlSchemaFormatQName(&str, | ||
122 | - type->targetNamespace, type->name)); | ||
123 | + str = xmlStrdup(type->name); | ||
124 | + } else { | ||
125 | + const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); | ||
126 | + if (!str) | ||
127 | + str = xmlStrdup(qName); | ||
128 | + } | ||
129 | + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); | ||
130 | msg = xmlStrcat(msg, BAD_CAST "'."); | ||
131 | FREE_AND_NULL(str); | ||
132 | } | ||
133 | @@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC | ||
134 | } | ||
135 | if (expected) { | ||
136 | msg = xmlStrcat(msg, BAD_CAST " Expected is '"); | ||
137 | - msg = xmlStrcat(msg, BAD_CAST expected); | ||
138 | + xmlChar *expectedEscaped = xmlCharStrdup(expected); | ||
139 | + msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); | ||
140 | + FREE_AND_NULL(expectedEscaped); | ||
141 | msg = xmlStrcat(msg, BAD_CAST "'.\n"); | ||
142 | } else | ||
143 | msg = xmlStrcat(msg, BAD_CAST "\n"); | ||
144 | Index: libxml2-2.9.2/xmlstring.c | ||
145 | =================================================================== | ||
146 | --- libxml2-2.9.2.orig/xmlstring.c | ||
147 | +++ libxml2-2.9.2/xmlstring.c | ||
148 | @@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st | ||
149 | return(xmlUTF8Strndup(utf, len)); | ||
150 | } | ||
151 | |||
152 | +/** | ||
153 | + * xmlEscapeFormatString: | ||
154 | + * @msg: a pointer to the string in which to escape '%' characters. | ||
155 | + * Must be a heap-allocated buffer created by libxml2 that may be | ||
156 | + * returned, or that may be freed and replaced. | ||
157 | + * | ||
158 | + * Replaces the string pointed to by 'msg' with an escaped string. | ||
159 | + * Returns the same string with all '%' characters escaped. | ||
160 | + */ | ||
161 | +xmlChar * | ||
162 | +xmlEscapeFormatString(xmlChar **msg) | ||
163 | +{ | ||
164 | + xmlChar *msgPtr = NULL; | ||
165 | + xmlChar *result = NULL; | ||
166 | + xmlChar *resultPtr = NULL; | ||
167 | + size_t count = 0; | ||
168 | + size_t msgLen = 0; | ||
169 | + size_t resultLen = 0; | ||
170 | + | ||
171 | + if (!msg || !*msg) | ||
172 | + return(NULL); | ||
173 | + | ||
174 | + for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { | ||
175 | + ++msgLen; | ||
176 | + if (*msgPtr == '%') | ||
177 | + ++count; | ||
178 | + } | ||
179 | + | ||
180 | + if (count == 0) | ||
181 | + return(*msg); | ||
182 | + | ||
183 | + resultLen = msgLen + count + 1; | ||
184 | + result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); | ||
185 | + if (result == NULL) { | ||
186 | + /* Clear *msg to prevent format string vulnerabilities in | ||
187 | + out-of-memory situations. */ | ||
188 | + xmlFree(*msg); | ||
189 | + *msg = NULL; | ||
190 | + xmlErrMemory(NULL, NULL); | ||
191 | + return(NULL); | ||
192 | + } | ||
193 | + | ||
194 | + for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { | ||
195 | + *resultPtr = *msgPtr; | ||
196 | + if (*msgPtr == '%') | ||
197 | + *(++resultPtr) = '%'; | ||
198 | + } | ||
199 | + result[resultLen - 1] = '\0'; | ||
200 | + | ||
201 | + xmlFree(*msg); | ||
202 | + *msg = result; | ||
203 | + | ||
204 | + return *msg; | ||
205 | +} | ||
206 | + | ||
207 | #define bottom_xmlstring | ||
208 | #include "elfgcchack.h" | ||