diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 0000000000..b6204f655a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joel Hockey <joel.hockey@gmail.com> | ||
3 | Date: Sun, 16 Aug 2020 17:19:35 -0700 | ||
4 | Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities | ||
5 | |||
6 | Code is currently assuming UTF-8 without validating. Truncated UTF-8 | ||
7 | input can cause out-of-bounds array access. | ||
8 | |||
9 | Adds further checks to partial fix in 50f06b3e. | ||
10 | |||
11 | Fixes #178 | ||
12 | |||
13 | CVE: CVE-2021-3517 | ||
14 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] | ||
15 | |||
16 | Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> | ||
17 | --- | ||
18 | entities.c | 16 +++++++++++++++- | ||
19 | 1 file changed, 15 insertions(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/entities.c b/entities.c | ||
22 | index d575e9d1..7cdbc4de 100644 | ||
23 | --- a/entities.c | ||
24 | +++ b/entities.c | ||
25 | @@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { | ||
26 | } else { | ||
27 | /* | ||
28 | * We assume we have UTF-8 input. | ||
29 | + * It must match either: | ||
30 | + * 110xxxxx 10xxxxxx | ||
31 | + * 1110xxxx 10xxxxxx 10xxxxxx | ||
32 | + * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx | ||
33 | + * That is: | ||
34 | + * cur[0] is 11xxxxxx | ||
35 | + * cur[1] is 10xxxxxx | ||
36 | + * cur[2] is 10xxxxxx if cur[0] is 111xxxxx | ||
37 | + * cur[3] is 10xxxxxx if cur[0] is 1111xxxx | ||
38 | + * cur[0] is not 11111xxx | ||
39 | */ | ||
40 | char buf[11], *ptr; | ||
41 | int val = 0, l = 1; | ||
42 | |||
43 | - if (*cur < 0xC0) { | ||
44 | + if (((cur[0] & 0xC0) != 0xC0) || | ||
45 | + ((cur[1] & 0xC0) != 0x80) || | ||
46 | + (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || | ||
47 | + (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || | ||
48 | + (((cur[0] & 0xF8) == 0xF8))) { | ||
49 | xmlEntitiesErr(XML_CHECK_NOT_UTF8, | ||
50 | "xmlEncodeEntities: input not UTF-8"); | ||
51 | if (doc != NULL) | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||