diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch new file mode 100644 index 0000000000..cf8d6badf3 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Mon, 23 May 2016 13:39:13 +0800 | ||
4 | Subject: [PATCH] Avoid an out of bound access when serializing malformed | ||
5 | strings | ||
6 | |||
7 | For https://bugzilla.gnome.org/show_bug.cgi?id=766414 | ||
8 | |||
9 | * xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value | ||
10 | is not UTF-8 be more careful when serializing it as we may do an | ||
11 | out of bound access as a result. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2016-4483 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | xmlsave.c | 8 ++++---- | ||
19 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/xmlsave.c b/xmlsave.c | ||
22 | index 774404b..4a8e3f3 100644 | ||
23 | --- a/xmlsave.c | ||
24 | +++ b/xmlsave.c | ||
25 | @@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, | ||
26 | xmlBufAdd(buf, BAD_CAST "&", 5); | ||
27 | cur++; | ||
28 | base = cur; | ||
29 | - } else if ((*cur >= 0x80) && ((doc == NULL) || | ||
30 | - (doc->encoding == NULL))) { | ||
31 | + } else if ((*cur >= 0x80) && (cur[1] != 0) && | ||
32 | + ((doc == NULL) || (doc->encoding == NULL))) { | ||
33 | /* | ||
34 | * We assume we have UTF-8 content. | ||
35 | */ | ||
36 | @@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, | ||
37 | val <<= 6; | ||
38 | val |= (cur[1]) & 0x3F; | ||
39 | l = 2; | ||
40 | - } else if (*cur < 0xF0) { | ||
41 | + } else if ((*cur < 0xF0) && (cur [2] != 0)) { | ||
42 | val = (cur[0]) & 0x0F; | ||
43 | val <<= 6; | ||
44 | val |= (cur[1]) & 0x3F; | ||
45 | val <<= 6; | ||
46 | val |= (cur[2]) & 0x3F; | ||
47 | l = 3; | ||
48 | - } else if (*cur < 0xF8) { | ||
49 | + } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { | ||
50 | val = (cur[0]) & 0x07; | ||
51 | val <<= 6; | ||
52 | val |= (cur[1]) & 0x3F; | ||
53 | -- | ||
54 | 2.3.5 | ||
55 | |||