summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/libxml
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/libxml')
-rw-r--r--meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch813
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch89
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch35
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch53
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch112
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch50
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch73
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch98
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch204
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch53
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch348
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch623
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch104
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch79
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch42
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch36
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch71
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch44
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch50
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch80
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch38
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch33
-rw-r--r--meta/recipes-core/libxml/libxml2/runtest.patch45
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.10.bb46
24 files changed, 3192 insertions, 27 deletions
diff --git a/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch b/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
new file mode 100644
index 0000000000..b0d26d1c08
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
@@ -0,0 +1,813 @@
1From b5125000917810731bc28055c0445d571121f80e Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 21 Apr 2022 00:45:58 +0200
4Subject: [PATCH] Port gentest.py to Python 3
5
6Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/343fc1421cdae097fa6c4cffeb1a065a40be6bbb]
7
8* fixes:
9
10make[1]: 'testReader' is up to date.
11 File "../libxml2-2.9.10/gentest.py", line 11
12 print "libxml2 python bindings not available, skipping testapi.c generation"
13 ^
14SyntaxError: Missing parentheses in call to 'print'. Did you mean print("libxml2 python bindings not available, skipping testapi.c generation")?
15make[1]: [Makefile:2078: testapi.c] Error 1 (ignored)
16
17...
18
19make[1]: 'testReader' is up to date.
20 File "../libxml2-2.9.10/gentest.py", line 271
21 return 1
22 ^
23TabError: inconsistent use of tabs and spaces in indentation
24make[1]: [Makefile:2078: testapi.c] Error 1 (ignored)
25
26...
27
28aarch64-oe-linux-gcc: error: testapi.c: No such file or directory
29aarch64-oe-linux-gcc: fatal error: no input files
30compilation terminated.
31make[1]: *** [Makefile:1275: testapi.o] Error 1
32
33But there is still a bit mystery why it worked before, because check-am
34calls gentest.py with $(PYTHON), so it ignores the shebang in the script
35and libxml2 is using python3native (through python3targetconfig.bbclass)
36so something like:
37
38libxml2/2.9.10-r0/recipe-sysroot-native/usr/bin/python3-native/python3 gentest.py
39
40But that still fails (now without SyntaxError) with:
41libxml2 python bindings not available, skipping testapi.c generation
42
43because we don't have dependency on libxml2-native (to provide libxml2
44python bindings form python3native) and exported PYTHON_SITE_PACKAGES
45might be useless (e.g. /usr/lib/python3.8/site-packages on Ubuntu-22.10
46which uses python 3.10 and there is no site-packages with libxml2)
47
48Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
49---
50 gentest.py | 421 ++++++++++++++++++++++++++---------------------------
51 1 file changed, 209 insertions(+), 212 deletions(-)
52
53diff --git a/gentest.py b/gentest.py
54index b763300..0756706 100755
55--- a/gentest.py
56+++ b/gentest.py
57@@ -8,7 +8,7 @@ import string
58 try:
59 import libxml2
60 except:
61- print "libxml2 python bindings not available, skipping testapi.c generation"
62+ print("libxml2 python bindings not available, skipping testapi.c generation")
63 sys.exit(0)
64
65 if len(sys.argv) > 1:
66@@ -227,7 +227,7 @@ extra_post_call = {
67 if (old != NULL) {
68 xmlUnlinkNode(old);
69 xmlFreeNode(old) ; old = NULL ; }
70- ret_val = NULL;""",
71+\t ret_val = NULL;""",
72 "xmlTextMerge":
73 """if ((first != NULL) && (first->type != XML_TEXT_NODE)) {
74 xmlUnlinkNode(second);
75@@ -236,7 +236,7 @@ extra_post_call = {
76 """if ((ret_val != NULL) && (ret_val != ncname) &&
77 (ret_val != prefix) && (ret_val != memory))
78 xmlFree(ret_val);
79- ret_val = NULL;""",
80+\t ret_val = NULL;""",
81 "xmlNewDocElementContent":
82 """xmlFreeDocElementContent(doc, ret_val); ret_val = NULL;""",
83 "xmlDictReference": "xmlDictFree(dict);",
84@@ -268,29 +268,29 @@ modules = []
85 def is_skipped_module(name):
86 for mod in skipped_modules:
87 if mod == name:
88- return 1
89+ return 1
90 return 0
91
92 def is_skipped_function(name):
93 for fun in skipped_functions:
94 if fun == name:
95- return 1
96+ return 1
97 # Do not test destructors
98- if string.find(name, 'Free') != -1:
99+ if name.find('Free') != -1:
100 return 1
101 return 0
102
103 def is_skipped_memcheck(name):
104 for fun in skipped_memcheck:
105 if fun == name:
106- return 1
107+ return 1
108 return 0
109
110 missing_types = {}
111 def add_missing_type(name, func):
112 try:
113 list = missing_types[name]
114- list.append(func)
115+ list.append(func)
116 except:
117 missing_types[name] = [func]
118
119@@ -310,7 +310,7 @@ def add_missing_functions(name, module):
120 missing_functions_nr = missing_functions_nr + 1
121 try:
122 list = missing_functions[module]
123- list.append(name)
124+ list.append(name)
125 except:
126 missing_functions[module] = [name]
127
128@@ -319,45 +319,45 @@ def add_missing_functions(name, module):
129 #
130
131 def type_convert(str, name, info, module, function, pos):
132-# res = string.replace(str, " ", " ")
133-# res = string.replace(str, " ", " ")
134-# res = string.replace(str, " ", " ")
135- res = string.replace(str, " *", "_ptr")
136-# res = string.replace(str, "*", "_ptr")
137- res = string.replace(res, " ", "_")
138+# res = str.replace(" ", " ")
139+# res = str.replace(" ", " ")
140+# res = str.replace(" ", " ")
141+ res = str.replace(" *", "_ptr")
142+# res = str.replace("*", "_ptr")
143+ res = res.replace(" ", "_")
144 if res == 'const_char_ptr':
145- if string.find(name, "file") != -1 or \
146- string.find(name, "uri") != -1 or \
147- string.find(name, "URI") != -1 or \
148- string.find(info, "filename") != -1 or \
149- string.find(info, "URI") != -1 or \
150- string.find(info, "URL") != -1:
151- if string.find(function, "Save") != -1 or \
152- string.find(function, "Create") != -1 or \
153- string.find(function, "Write") != -1 or \
154- string.find(function, "Fetch") != -1:
155- return('fileoutput')
156- return('filepath')
157+ if name.find("file") != -1 or \
158+ name.find("uri") != -1 or \
159+ name.find("URI") != -1 or \
160+ info.find("filename") != -1 or \
161+ info.find("URI") != -1 or \
162+ info.find("URL") != -1:
163+ if function.find("Save") != -1 or \
164+ function.find("Create") != -1 or \
165+ function.find("Write") != -1 or \
166+ function.find("Fetch") != -1:
167+ return('fileoutput')
168+ return('filepath')
169 if res == 'void_ptr':
170 if module == 'nanoftp' and name == 'ctx':
171- return('xmlNanoFTPCtxtPtr')
172+ return('xmlNanoFTPCtxtPtr')
173 if function == 'xmlNanoFTPNewCtxt' or \
174- function == 'xmlNanoFTPConnectTo' or \
175- function == 'xmlNanoFTPOpen':
176- return('xmlNanoFTPCtxtPtr')
177+ function == 'xmlNanoFTPConnectTo' or \
178+ function == 'xmlNanoFTPOpen':
179+ return('xmlNanoFTPCtxtPtr')
180 if module == 'nanohttp' and name == 'ctx':
181- return('xmlNanoHTTPCtxtPtr')
182- if function == 'xmlNanoHTTPMethod' or \
183- function == 'xmlNanoHTTPMethodRedir' or \
184- function == 'xmlNanoHTTPOpen' or \
185- function == 'xmlNanoHTTPOpenRedir':
186- return('xmlNanoHTTPCtxtPtr');
187+ return('xmlNanoHTTPCtxtPtr')
188+ if function == 'xmlNanoHTTPMethod' or \
189+ function == 'xmlNanoHTTPMethodRedir' or \
190+ function == 'xmlNanoHTTPOpen' or \
191+ function == 'xmlNanoHTTPOpenRedir':
192+ return('xmlNanoHTTPCtxtPtr');
193 if function == 'xmlIOHTTPOpen':
194- return('xmlNanoHTTPCtxtPtr')
195- if string.find(name, "data") != -1:
196- return('userdata')
197- if string.find(name, "user") != -1:
198- return('userdata')
199+ return('xmlNanoHTTPCtxtPtr')
200+ if name.find("data") != -1:
201+ return('userdata')
202+ if name.find("user") != -1:
203+ return('userdata')
204 if res == 'xmlDoc_ptr':
205 res = 'xmlDocPtr'
206 if res == 'xmlNode_ptr':
207@@ -366,18 +366,18 @@ def type_convert(str, name, info, module, function, pos):
208 res = 'xmlDictPtr'
209 if res == 'xmlNodePtr' and pos != 0:
210 if (function == 'xmlAddChild' and pos == 2) or \
211- (function == 'xmlAddChildList' and pos == 2) or \
212+ (function == 'xmlAddChildList' and pos == 2) or \
213 (function == 'xmlAddNextSibling' and pos == 2) or \
214 (function == 'xmlAddSibling' and pos == 2) or \
215 (function == 'xmlDocSetRootElement' and pos == 2) or \
216 (function == 'xmlReplaceNode' and pos == 2) or \
217 (function == 'xmlTextMerge') or \
218- (function == 'xmlAddPrevSibling' and pos == 2):
219- return('xmlNodePtr_in');
220+ (function == 'xmlAddPrevSibling' and pos == 2):
221+ return('xmlNodePtr_in');
222 if res == 'const xmlBufferPtr':
223 res = 'xmlBufferPtr'
224 if res == 'xmlChar_ptr' and name == 'name' and \
225- string.find(function, "EatName") != -1:
226+ function.find("EatName") != -1:
227 return('eaten_name')
228 if res == 'void_ptr*':
229 res = 'void_ptr_ptr'
230@@ -393,7 +393,7 @@ def type_convert(str, name, info, module, function, pos):
231 res = 'debug_FILE_ptr';
232 if res == 'int' and name == 'options':
233 if module == 'parser' or module == 'xmlreader':
234- res = 'parseroptions'
235+ res = 'parseroptions'
236
237 return res
238
239@@ -402,28 +402,28 @@ known_param_types = []
240 def is_known_param_type(name):
241 for type in known_param_types:
242 if type == name:
243- return 1
244+ return 1
245 return name[-3:] == 'Ptr' or name[-4:] == '_ptr'
246
247 def generate_param_type(name, rtype):
248 global test
249 for type in known_param_types:
250 if type == name:
251- return
252+ return
253 for type in generated_param_types:
254 if type == name:
255- return
256+ return
257
258 if name[-3:] == 'Ptr' or name[-4:] == '_ptr':
259 if rtype[0:6] == 'const ':
260- crtype = rtype[6:]
261- else:
262- crtype = rtype
263+ crtype = rtype[6:]
264+ else:
265+ crtype = rtype
266
267 define = 0
268- if modules_defines.has_key(module):
269- test.write("#ifdef %s\n" % (modules_defines[module]))
270- define = 1
271+ if module in modules_defines:
272+ test.write("#ifdef %s\n" % (modules_defines[module]))
273+ define = 1
274 test.write("""
275 #define gen_nb_%s 1
276 static %s gen_%s(int no ATTRIBUTE_UNUSED, int nr ATTRIBUTE_UNUSED) {
277@@ -433,7 +433,7 @@ static void des_%s(int no ATTRIBUTE_UNUSED, %s val ATTRIBUTE_UNUSED, int nr ATTR
278 }
279 """ % (name, crtype, name, name, rtype))
280 if define == 1:
281- test.write("#endif\n\n")
282+ test.write("#endif\n\n")
283 add_generated_param_type(name)
284
285 #
286@@ -445,7 +445,7 @@ known_return_types = []
287 def is_known_return_type(name):
288 for type in known_return_types:
289 if type == name:
290- return 1
291+ return 1
292 return 0
293
294 #
295@@ -471,7 +471,7 @@ def compare_and_save():
296 try:
297 os.system("rm testapi.c; mv testapi.c.new testapi.c")
298 except:
299- os.system("mv testapi.c.new testapi.c")
300+ os.system("mv testapi.c.new testapi.c")
301 print("Updated testapi.c")
302 else:
303 print("Generated testapi.c is identical")
304@@ -481,17 +481,17 @@ while line != "":
305 if line == "/* CUT HERE: everything below that line is generated */\n":
306 break;
307 if line[0:15] == "#define gen_nb_":
308- type = string.split(line[15:])[0]
309- known_param_types.append(type)
310+ type = line[15:].split()[0]
311+ known_param_types.append(type)
312 if line[0:19] == "static void desret_":
313- type = string.split(line[19:], '(')[0]
314- known_return_types.append(type)
315+ type = line[19:].split('(')[0]
316+ known_return_types.append(type)
317 test.write(line)
318 line = input.readline()
319 input.close()
320
321 if line == "":
322- print "Could not find the CUT marker in testapi.c skipping generation"
323+ print("Could not find the CUT marker in testapi.c skipping generation")
324 test.close()
325 sys.exit(0)
326
327@@ -505,7 +505,7 @@ test.write("/* CUT HERE: everything below that line is generated */\n")
328 #
329 doc = libxml2.readFile(srcPref + 'doc/libxml2-api.xml', None, 0)
330 if doc == None:
331- print "Failed to load doc/libxml2-api.xml"
332+ print("Failed to load doc/libxml2-api.xml")
333 sys.exit(1)
334 ctxt = doc.xpathNewContext()
335
336@@ -519,9 +519,9 @@ for arg in args:
337 mod = arg.xpathEval('string(../@file)')
338 func = arg.xpathEval('string(../@name)')
339 if (mod not in skipped_modules) and (func not in skipped_functions):
340- type = arg.xpathEval('string(@type)')
341- if not argtypes.has_key(type):
342- argtypes[type] = func
343+ type = arg.xpathEval('string(@type)')
344+ if type not in argtypes:
345+ argtypes[type] = func
346
347 # similarly for return types
348 rettypes = {}
349@@ -531,8 +531,8 @@ for ret in rets:
350 func = ret.xpathEval('string(../@name)')
351 if (mod not in skipped_modules) and (func not in skipped_functions):
352 type = ret.xpathEval('string(@type)')
353- if not rettypes.has_key(type):
354- rettypes[type] = func
355+ if type not in rettypes:
356+ rettypes[type] = func
357
358 #
359 # Generate constructors and return type handling for all enums
360@@ -549,49 +549,49 @@ for enum in enums:
361 continue;
362 define = 0
363
364- if argtypes.has_key(name) and is_known_param_type(name) == 0:
365- values = ctxt.xpathEval("/api/symbols/enum[@type='%s']" % name)
366- i = 0
367- vals = []
368- for value in values:
369- vname = value.xpathEval('string(@name)')
370- if vname == None:
371- continue;
372- i = i + 1
373- if i >= 5:
374- break;
375- vals.append(vname)
376- if vals == []:
377- print "Didn't find any value for enum %s" % (name)
378- continue
379- if modules_defines.has_key(module):
380- test.write("#ifdef %s\n" % (modules_defines[module]))
381- define = 1
382- test.write("#define gen_nb_%s %d\n" % (name, len(vals)))
383- test.write("""static %s gen_%s(int no, int nr ATTRIBUTE_UNUSED) {\n""" %
384- (name, name))
385- i = 1
386- for value in vals:
387- test.write(" if (no == %d) return(%s);\n" % (i, value))
388- i = i + 1
389- test.write(""" return(0);
390+ if (name in argtypes) and is_known_param_type(name) == 0:
391+ values = ctxt.xpathEval("/api/symbols/enum[@type='%s']" % name)
392+ i = 0
393+ vals = []
394+ for value in values:
395+ vname = value.xpathEval('string(@name)')
396+ if vname == None:
397+ continue;
398+ i = i + 1
399+ if i >= 5:
400+ break;
401+ vals.append(vname)
402+ if vals == []:
403+ print("Didn't find any value for enum %s" % (name))
404+ continue
405+ if module in modules_defines:
406+ test.write("#ifdef %s\n" % (modules_defines[module]))
407+ define = 1
408+ test.write("#define gen_nb_%s %d\n" % (name, len(vals)))
409+ test.write("""static %s gen_%s(int no, int nr ATTRIBUTE_UNUSED) {\n""" %
410+ (name, name))
411+ i = 1
412+ for value in vals:
413+ test.write(" if (no == %d) return(%s);\n" % (i, value))
414+ i = i + 1
415+ test.write(""" return(0);
416 }
417
418 static void des_%s(int no ATTRIBUTE_UNUSED, %s val ATTRIBUTE_UNUSED, int nr ATTRIBUTE_UNUSED) {
419 }
420
421 """ % (name, name));
422- known_param_types.append(name)
423+ known_param_types.append(name)
424
425 if (is_known_return_type(name) == 0) and (name in rettypes):
426- if define == 0 and modules_defines.has_key(module):
427- test.write("#ifdef %s\n" % (modules_defines[module]))
428- define = 1
429+ if define == 0 and (module in modules_defines):
430+ test.write("#ifdef %s\n" % (modules_defines[module]))
431+ define = 1
432 test.write("""static void desret_%s(%s val ATTRIBUTE_UNUSED) {
433 }
434
435 """ % (name, name))
436- known_return_types.append(name)
437+ known_return_types.append(name)
438 if define == 1:
439 test.write("#endif\n\n")
440
441@@ -615,9 +615,9 @@ for file in headers:
442 # do not test deprecated APIs
443 #
444 desc = file.xpathEval('string(description)')
445- if string.find(desc, 'DEPRECATED') != -1:
446- print "Skipping deprecated interface %s" % name
447- continue;
448+ if desc.find('DEPRECATED') != -1:
449+ print("Skipping deprecated interface %s" % name)
450+ continue;
451
452 test.write("#include <libxml/%s.h>\n" % name)
453 modules.append(name)
454@@ -679,7 +679,7 @@ def generate_test(module, node):
455 # and store the informations for the generation
456 #
457 try:
458- args = node.xpathEval("arg")
459+ args = node.xpathEval("arg")
460 except:
461 args = []
462 t_args = []
463@@ -687,37 +687,37 @@ def generate_test(module, node):
464 for arg in args:
465 n = n + 1
466 rtype = arg.xpathEval("string(@type)")
467- if rtype == 'void':
468- break;
469- info = arg.xpathEval("string(@info)")
470- nam = arg.xpathEval("string(@name)")
471+ if rtype == 'void':
472+ break;
473+ info = arg.xpathEval("string(@info)")
474+ nam = arg.xpathEval("string(@name)")
475 type = type_convert(rtype, nam, info, module, name, n)
476- if is_known_param_type(type) == 0:
477- add_missing_type(type, name);
478- no_gen = 1
479+ if is_known_param_type(type) == 0:
480+ add_missing_type(type, name);
481+ no_gen = 1
482 if (type[-3:] == 'Ptr' or type[-4:] == '_ptr') and \
483- rtype[0:6] == 'const ':
484- crtype = rtype[6:]
485- else:
486- crtype = rtype
487- t_args.append((nam, type, rtype, crtype, info))
488+ rtype[0:6] == 'const ':
489+ crtype = rtype[6:]
490+ else:
491+ crtype = rtype
492+ t_args.append((nam, type, rtype, crtype, info))
493
494 try:
495- rets = node.xpathEval("return")
496+ rets = node.xpathEval("return")
497 except:
498 rets = []
499 t_ret = None
500 for ret in rets:
501 rtype = ret.xpathEval("string(@type)")
502- info = ret.xpathEval("string(@info)")
503+ info = ret.xpathEval("string(@info)")
504 type = type_convert(rtype, 'return', info, module, name, 0)
505- if rtype == 'void':
506- break
507- if is_known_return_type(type) == 0:
508- add_missing_type(type, name);
509- no_gen = 1
510- t_ret = (type, rtype, info)
511- break
512+ if rtype == 'void':
513+ break
514+ if is_known_return_type(type) == 0:
515+ add_missing_type(type, name);
516+ no_gen = 1
517+ t_ret = (type, rtype, info)
518+ break
519
520 if no_gen == 0:
521 for t_arg in t_args:
522@@ -733,7 +733,7 @@ test_%s(void) {
523
524 if no_gen == 1:
525 add_missing_functions(name, module)
526- test.write("""
527+ test.write("""
528 /* missing type support */
529 return(test_ret);
530 }
531@@ -742,22 +742,22 @@ test_%s(void) {
532 return
533
534 try:
535- conds = node.xpathEval("cond")
536- for cond in conds:
537- test.write("#if %s\n" % (cond.get_content()))
538- nb_cond = nb_cond + 1
539+ conds = node.xpathEval("cond")
540+ for cond in conds:
541+ test.write("#if %s\n" % (cond.get_content()))
542+ nb_cond = nb_cond + 1
543 except:
544 pass
545
546 define = 0
547- if function_defines.has_key(name):
548+ if name in function_defines:
549 test.write("#ifdef %s\n" % (function_defines[name]))
550- define = 1
551+ define = 1
552
553 # Declare the memory usage counter
554 no_mem = is_skipped_memcheck(name)
555 if no_mem == 0:
556- test.write(" int mem_base;\n");
557+ test.write(" int mem_base;\n");
558
559 # Declare the return value
560 if t_ret != None:
561@@ -766,29 +766,29 @@ test_%s(void) {
562 # Declare the arguments
563 for arg in t_args:
564 (nam, type, rtype, crtype, info) = arg;
565- # add declaration
566- test.write(" %s %s; /* %s */\n" % (crtype, nam, info))
567- test.write(" int n_%s;\n" % (nam))
568+ # add declaration
569+ test.write(" %s %s; /* %s */\n" % (crtype, nam, info))
570+ test.write(" int n_%s;\n" % (nam))
571 test.write("\n")
572
573 # Cascade loop on of each argument list of values
574 for arg in t_args:
575 (nam, type, rtype, crtype, info) = arg;
576- #
577- test.write(" for (n_%s = 0;n_%s < gen_nb_%s;n_%s++) {\n" % (
578- nam, nam, type, nam))
579+ #
580+ test.write(" for (n_%s = 0;n_%s < gen_nb_%s;n_%s++) {\n" % (
581+ nam, nam, type, nam))
582
583 # log the memory usage
584 if no_mem == 0:
585- test.write(" mem_base = xmlMemBlocks();\n");
586+ test.write(" mem_base = xmlMemBlocks();\n");
587
588 # prepare the call
589 i = 0;
590 for arg in t_args:
591 (nam, type, rtype, crtype, info) = arg;
592- #
593- test.write(" %s = gen_%s(n_%s, %d);\n" % (nam, type, nam, i))
594- i = i + 1;
595+ #
596+ test.write(" %s = gen_%s(n_%s, %d);\n" % (nam, type, nam, i))
597+ i = i + 1;
598
599 # add checks to avoid out-of-bounds array access
600 i = 0;
601@@ -797,7 +797,7 @@ test_%s(void) {
602 # assume that "size", "len", and "start" parameters apply to either
603 # the nearest preceding or following char pointer
604 if type == "int" and (nam == "size" or nam == "len" or nam == "start"):
605- for j in range(i - 1, -1, -1) + range(i + 1, len(t_args)):
606+ for j in (*range(i - 1, -1, -1), *range(i + 1, len(t_args))):
607 (bnam, btype) = t_args[j][:2]
608 if btype == "const_char_ptr" or btype == "const_xmlChar_ptr":
609 test.write(
610@@ -806,42 +806,42 @@ test_%s(void) {
611 " continue;\n"
612 % (bnam, nam, bnam))
613 break
614- i = i + 1;
615+ i = i + 1;
616
617 # do the call, and clanup the result
618- if extra_pre_call.has_key(name):
619- test.write(" %s\n"% (extra_pre_call[name]))
620+ if name in extra_pre_call:
621+ test.write(" %s\n"% (extra_pre_call[name]))
622 if t_ret != None:
623- test.write("\n ret_val = %s(" % (name))
624- need = 0
625- for arg in t_args:
626- (nam, type, rtype, crtype, info) = arg
627- if need:
628- test.write(", ")
629- else:
630- need = 1
631- if rtype != crtype:
632- test.write("(%s)" % rtype)
633- test.write("%s" % nam);
634- test.write(");\n")
635- if extra_post_call.has_key(name):
636- test.write(" %s\n"% (extra_post_call[name]))
637- test.write(" desret_%s(ret_val);\n" % t_ret[0])
638+ test.write("\n ret_val = %s(" % (name))
639+ need = 0
640+ for arg in t_args:
641+ (nam, type, rtype, crtype, info) = arg
642+ if need:
643+ test.write(", ")
644+ else:
645+ need = 1
646+ if rtype != crtype:
647+ test.write("(%s)" % rtype)
648+ test.write("%s" % nam);
649+ test.write(");\n")
650+ if name in extra_post_call:
651+ test.write(" %s\n"% (extra_post_call[name]))
652+ test.write(" desret_%s(ret_val);\n" % t_ret[0])
653 else:
654- test.write("\n %s(" % (name));
655- need = 0;
656- for arg in t_args:
657- (nam, type, rtype, crtype, info) = arg;
658- if need:
659- test.write(", ")
660- else:
661- need = 1
662- if rtype != crtype:
663- test.write("(%s)" % rtype)
664- test.write("%s" % nam)
665- test.write(");\n")
666- if extra_post_call.has_key(name):
667- test.write(" %s\n"% (extra_post_call[name]))
668+ test.write("\n %s(" % (name));
669+ need = 0;
670+ for arg in t_args:
671+ (nam, type, rtype, crtype, info) = arg;
672+ if need:
673+ test.write(", ")
674+ else:
675+ need = 1
676+ if rtype != crtype:
677+ test.write("(%s)" % rtype)
678+ test.write("%s" % nam)
679+ test.write(");\n")
680+ if name in extra_post_call:
681+ test.write(" %s\n"% (extra_post_call[name]))
682
683 test.write(" call_tests++;\n");
684
685@@ -849,32 +849,32 @@ test_%s(void) {
686 i = 0;
687 for arg in t_args:
688 (nam, type, rtype, crtype, info) = arg;
689- # This is a hack to prevent generating a destructor for the
690- # 'input' argument in xmlTextReaderSetup. There should be
691- # a better, more generic way to do this!
692- if string.find(info, 'destroy') == -1:
693- test.write(" des_%s(n_%s, " % (type, nam))
694- if rtype != crtype:
695- test.write("(%s)" % rtype)
696- test.write("%s, %d);\n" % (nam, i))
697- i = i + 1;
698+ # This is a hack to prevent generating a destructor for the
699+ # 'input' argument in xmlTextReaderSetup. There should be
700+ # a better, more generic way to do this!
701+ if info.find('destroy') == -1:
702+ test.write(" des_%s(n_%s, " % (type, nam))
703+ if rtype != crtype:
704+ test.write("(%s)" % rtype)
705+ test.write("%s, %d);\n" % (nam, i))
706+ i = i + 1;
707
708 test.write(" xmlResetLastError();\n");
709 # Check the memory usage
710 if no_mem == 0:
711- test.write(""" if (mem_base != xmlMemBlocks()) {
712+ test.write(""" if (mem_base != xmlMemBlocks()) {
713 printf("Leak of %%d blocks found in %s",
714- xmlMemBlocks() - mem_base);
715- test_ret++;
716+\t xmlMemBlocks() - mem_base);
717+\t test_ret++;
718 """ % (name));
719- for arg in t_args:
720- (nam, type, rtype, crtype, info) = arg;
721- test.write(""" printf(" %%d", n_%s);\n""" % (nam))
722- test.write(""" printf("\\n");\n""")
723- test.write(" }\n")
724+ for arg in t_args:
725+ (nam, type, rtype, crtype, info) = arg;
726+ test.write(""" printf(" %%d", n_%s);\n""" % (nam))
727+ test.write(""" printf("\\n");\n""")
728+ test.write(" }\n")
729
730 for arg in t_args:
731- test.write(" }\n")
732+ test.write(" }\n")
733
734 test.write(" function_tests++;\n")
735 #
736@@ -882,7 +882,7 @@ test_%s(void) {
737 #
738 while nb_cond > 0:
739 test.write("#endif\n")
740- nb_cond = nb_cond -1
741+ nb_cond = nb_cond -1
742 if define == 1:
743 test.write("#endif\n")
744
745@@ -900,10 +900,10 @@ test_%s(void) {
746 for module in modules:
747 # gather all the functions exported by that module
748 try:
749- functions = ctxt.xpathEval("/api/symbols/function[@file='%s']" % (module))
750+ functions = ctxt.xpathEval("/api/symbols/function[@file='%s']" % (module))
751 except:
752- print "Failed to gather functions from module %s" % (module)
753- continue;
754+ print("Failed to gather functions from module %s" % (module))
755+ continue;
756
757 # iterate over all functions in the module generating the test
758 i = 0
759@@ -923,14 +923,14 @@ test_%s(void) {
760 # iterate over all functions in the module generating the call
761 for function in functions:
762 name = function.xpathEval('string(@name)')
763- if is_skipped_function(name):
764- continue
765- test.write(" test_ret += test_%s();\n" % (name))
766+ if is_skipped_function(name):
767+ continue
768+ test.write(" test_ret += test_%s();\n" % (name))
769
770 # footer
771 test.write("""
772 if (test_ret != 0)
773- printf("Module %s: %%d errors\\n", test_ret);
774+\tprintf("Module %s: %%d errors\\n", test_ret);
775 return(test_ret);
776 }
777 """ % (module))
778@@ -948,7 +948,7 @@ test.write(""" return(0);
779 }
780 """);
781
782-print "Generated test for %d modules and %d functions" %(len(modules), nb_tests)
783+print("Generated test for %d modules and %d functions" %(len(modules), nb_tests))
784
785 compare_and_save()
786
787@@ -960,11 +960,8 @@ for missing in missing_types.keys():
788 n = len(missing_types[missing])
789 missing_list.append((n, missing))
790
791-def compare_missing(a, b):
792- return b[0] - a[0]
793-
794-missing_list.sort(compare_missing)
795-print "Missing support for %d functions and %d types see missing.lst" % (missing_functions_nr, len(missing_list))
796+missing_list.sort(key=lambda a: a[0])
797+print("Missing support for %d functions and %d types see missing.lst" % (missing_functions_nr, len(missing_list)))
798 lst = open("missing.lst", "w")
799 lst.write("Missing support for %d types" % (len(missing_list)))
800 lst.write("\n")
801@@ -974,9 +971,9 @@ for miss in missing_list:
802 for n in missing_types[miss[1]]:
803 i = i + 1
804 if i > 5:
805- lst.write(" ...")
806- break
807- lst.write(" %s" % (n))
808+ lst.write(" ...")
809+ break
810+ lst.write(" %s" % (n))
811 lst.write("\n")
812 lst.write("\n")
813 lst.write("\n")
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
new file mode 100644
index 0000000000..5301d05323
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
1From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 15 Aug 2020 18:32:29 +0200
4Subject: [PATCH] Revert "Do not URI escape in server side includes"
5
6This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
7
8This commit introduced
9
10- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
11- an algorithm with quadratic runtime
12- a security issue, see
13 https://bugzilla.gnome.org/show_bug.cgi?id=769760
14
15A better approach is to add an option not to escape URLs at all
16which libxml2 should have possibly done in the first place.
17
18CVE: CVE-2016-3709
19Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
20Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
21---
22 HTMLtree.c | 49 +++++++++++--------------------------------------
23 1 file changed, 11 insertions(+), 38 deletions(-)
24
25diff --git a/HTMLtree.c b/HTMLtree.c
26index 8d236bb35..cdb7f86a6 100644
27--- a/HTMLtree.c
28+++ b/HTMLtree.c
29@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
30 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
31 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
32 (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
33+ xmlChar *escaped;
34 xmlChar *tmp = value;
35- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
36- xmlBufCCat(buf->buffer, "\"");
37
38 while (IS_BLANK_CH(*tmp)) tmp++;
39
40- /* URI Escape everything, except server side includes. */
41- for ( ; ; ) {
42- xmlChar *escaped;
43- xmlChar endChar;
44- xmlChar *end = NULL;
45- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
46- if (start != NULL) {
47- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
48- if (end != NULL) {
49- *start = '\0';
50- }
51- }
52-
53- /* Escape the whole string, or until start (set to '\0'). */
54- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
55- if (escaped != NULL) {
56- xmlBufCat(buf->buffer, escaped);
57- xmlFree(escaped);
58- } else {
59- xmlBufCat(buf->buffer, tmp);
60- }
61-
62- if (end == NULL) { /* Everything has been written. */
63- break;
64- }
65-
66- /* Do not escape anything within server side includes. */
67- *start = '<'; /* Restore the first character of "<!--". */
68- end += 3; /* strlen("-->") */
69- endChar = *end;
70- *end = '\0';
71- xmlBufCat(buf->buffer, start);
72- *end = endChar;
73- tmp = end;
74+ /*
75+ * the < and > have already been escaped at the entity level
76+ * And doing so here breaks server side includes
77+ */
78+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
79+ if (escaped != NULL) {
80+ xmlBufWriteQuotedString(buf->buffer, escaped);
81+ xmlFree(escaped);
82+ } else {
83+ xmlBufWriteQuotedString(buf->buffer, value);
84 }
85-
86- xmlBufCCat(buf->buffer, "\"");
87 } else {
88 xmlBufWriteQuotedString(buf->buffer, value);
89 }
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
new file mode 100644
index 0000000000..200f42091e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
@@ -0,0 +1,35 @@
1From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 21 Apr 2021 13:23:27 +0200
4Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
5
6Call htmlCtxtUseOptions to make sure that names aren't stored in
7dictionaries.
8
9Note that this issue only affects xmllint using the HTML push parser.
10
11Fixes #230.
12
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
14CVE: CVE-2021-3516
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 xmllint.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/xmllint.c b/xmllint.c
21index 6ca1bf54d..dbef273a8 100644
22--- a/xmllint.c
23+++ b/xmllint.c
24@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
25 if (res > 0) {
26 ctxt = htmlCreatePushParserCtxt(NULL, NULL,
27 chars, res, filename, XML_CHAR_ENCODING_NONE);
28- xmlCtxtUseOptions(ctxt, options);
29+ htmlCtxtUseOptions(ctxt, options);
30 while ((res = fread(chars, 1, pushsize, f)) > 0) {
31 htmlParseChunk(ctxt, chars, res, 0);
32 }
33--
34GitLab
35
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
new file mode 100644
index 0000000000..e88a8ae7c6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,53 @@
1From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
2From: Joel Hockey <joel.hockey@gmail.com>
3Date: Sun, 16 Aug 2020 17:19:35 -0700
4Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
5
6Code is currently assuming UTF-8 without validating. Truncated UTF-8
7input can cause out-of-bounds array access.
8
9Adds further checks to partial fix in 50f06b3e.
10
11Fixes #178
12Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
13CVE: CVE-2021-3517
14Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
15
16---
17 entities.c | 16 +++++++++++++++-
18 1 file changed, 15 insertions(+), 1 deletion(-)
19
20diff --git a/entities.c b/entities.c
21index 37b99a56..1a8f86f0 100644
22--- a/entities.c
23+++ b/entities.c
24@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
25 } else {
26 /*
27 * We assume we have UTF-8 input.
28+ * It must match either:
29+ * 110xxxxx 10xxxxxx
30+ * 1110xxxx 10xxxxxx 10xxxxxx
31+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
32+ * That is:
33+ * cur[0] is 11xxxxxx
34+ * cur[1] is 10xxxxxx
35+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
36+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
37+ * cur[0] is not 11111xxx
38 */
39 char buf[11], *ptr;
40 int val = 0, l = 1;
41
42- if (*cur < 0xC0) {
43+ if (((cur[0] & 0xC0) != 0xC0) ||
44+ ((cur[1] & 0xC0) != 0x80) ||
45+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
46+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
47+ (((cur[0] & 0xF8) == 0xF8))) {
48 xmlEntitiesErr(XML_CHECK_NOT_UTF8,
49 "xmlEncodeEntities: input not UTF-8");
50 if (doc != NULL)
51--
52GitLab
53
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..40d3debea1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
1From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 10 Jun 2020 16:34:52 +0200
4Subject: [PATCH 1/2] Don't recurse into xi:include children in
5 xmlXIncludeDoProcess
6
7Otherwise, nested xi:include nodes might result in a use-after-free
8if XML_PARSE_NOXINCNODE is specified.
9
10Found with libFuzzer and ASan.
11
12Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
13
14The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
15as to avoid unnecessary modifications to fallback files.
16
17CVE: CVE-2021-3518
18Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
19---
20 xinclude.c | 24 ++++++++++--------------
21 1 file changed, 10 insertions(+), 14 deletions(-)
22
23diff --git a/xinclude.c b/xinclude.c
24index ba850fa5..f260c1a7 100644
25--- a/xinclude.c
26+++ b/xinclude.c
27@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
28 * First phase: lookup the elements in the document
29 */
30 cur = tree;
31- if (xmlXIncludeTestNode(ctxt, cur) == 1)
32- xmlXIncludePreProcessNode(ctxt, cur);
33 while ((cur != NULL) && (cur != tree->parent)) {
34 /* TODO: need to work on entities -> stack */
35- if ((cur->children != NULL) &&
36- (cur->children->type != XML_ENTITY_DECL) &&
37- (cur->children->type != XML_XINCLUDE_START) &&
38- (cur->children->type != XML_XINCLUDE_END)) {
39- cur = cur->children;
40- if (xmlXIncludeTestNode(ctxt, cur))
41- xmlXIncludePreProcessNode(ctxt, cur);
42- } else if (cur->next != NULL) {
43+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
44+ xmlXIncludePreProcessNode(ctxt, cur);
45+ } else if ((cur->children != NULL) &&
46+ (cur->children->type != XML_ENTITY_DECL) &&
47+ (cur->children->type != XML_XINCLUDE_START) &&
48+ (cur->children->type != XML_XINCLUDE_END)) {
49+ cur = cur->children;
50+ continue;
51+ }
52+ if (cur->next != NULL) {
53 cur = cur->next;
54- if (xmlXIncludeTestNode(ctxt, cur))
55- xmlXIncludePreProcessNode(ctxt, cur);
56 } else {
57 if (cur == tree)
58 break;
59@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
60 break; /* do */
61 if (cur->next != NULL) {
62 cur = cur->next;
63- if (xmlXIncludeTestNode(ctxt, cur))
64- xmlXIncludePreProcessNode(ctxt, cur);
65 break; /* do */
66 }
67 } while (cur != NULL);
68--
692.32.0
70
71
72From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
73From: Nick Wellnhofer <wellnhofer@aevum.de>
74Date: Thu, 22 Apr 2021 19:26:28 +0200
75Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
76
77The --dropdtd option can leave dangling pointers in entity reference
78nodes. Make sure to skip these nodes when processing XIncludes.
79
80This also avoids scanning entity declarations and even modifying
81them inadvertently during XInclude processing.
82
83Move from a block list to an allow list approach to avoid descending
84into other node types that can't contain elements.
85
86Fixes #237.
87Upstream-Status: Backport
88CVE: CVE-2021-3518
89Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
90---
91 xinclude.c | 5 ++---
92 1 file changed, 2 insertions(+), 3 deletions(-)
93
94diff --git a/xinclude.c b/xinclude.c
95index f260c1a7..d7648529 100644
96--- a/xinclude.c
97+++ b/xinclude.c
98@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
99 if (xmlXIncludeTestNode(ctxt, cur) == 1) {
100 xmlXIncludePreProcessNode(ctxt, cur);
101 } else if ((cur->children != NULL) &&
102- (cur->children->type != XML_ENTITY_DECL) &&
103- (cur->children->type != XML_XINCLUDE_START) &&
104- (cur->children->type != XML_XINCLUDE_END)) {
105+ ((cur->type == XML_DOCUMENT_NODE) ||
106+ (cur->type == XML_ELEMENT_NODE))) {
107 cur = cur->children;
108 continue;
109 }
110--
1112.32.0
112
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..9e64c2a36d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,50 @@
1From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 1 May 2021 16:53:33 +0200
4Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
5
6Check return value of recursive calls to
7xmlParseElementChildrenContentDeclPriv and return immediately in case
8of errors. Otherwise, struct xmlElementContent could contain unexpected
9null pointers, leading to a null deref when post-validating documents
10which aren't well-formed and parsed in recovery mode.
11
12Fixes #243.
13
14Upstream-Status: Backport
15[https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
16CVE: CVE-2021-3537
17Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
18
19---
20 parser.c | 7 +++++++
21 1 file changed, 7 insertions(+)
22
23diff --git a/parser.c b/parser.c
24index b42e6043..73c27edd 100644
25--- a/parser.c
26+++ b/parser.c
27@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
28 SKIP_BLANKS;
29 cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
30 depth + 1);
31+ if (cur == NULL)
32+ return(NULL);
33 SKIP_BLANKS;
34 GROW;
35 } else {
36@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
37 SKIP_BLANKS;
38 last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
39 depth + 1);
40+ if (last == NULL) {
41+ if (ret != NULL)
42+ xmlFreeDocElementContent(ctxt->myDoc, ret);
43+ return(NULL);
44+ }
45 SKIP_BLANKS;
46 } else {
47 elem = xmlParseName(ctxt);
48--
49GitLab
50
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 0000000000..1f392b4cd7
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
1From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Thu, 13 May 2021 14:55:12 +0200
4Subject: [PATCH] Patch for security issue CVE-2021-3541
5
6This is relapted to parameter entities expansion and following
7the line of the billion laugh attack. Somehow in that path the
8counting of parameters was missed and the normal algorithm based
9on entities "density" was useless.
10
11Upstream-Status: Backport
12[https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
13CVE: CVE-2021-3541
14Signed-off-by: Steve Sakoman <steve@sakoman.com>
15
16---
17 parser.c | 26 ++++++++++++++++++++++++++
18 1 file changed, 26 insertions(+)
19
20diff --git a/parser.c b/parser.c
21index f5e5e169..c9312fa4 100644
22--- a/parser.c
23+++ b/parser.c
24@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
25 xmlEntityPtr ent, size_t replacement)
26 {
27 size_t consumed = 0;
28+ int i;
29
30 if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
31 return (0);
32@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
33 rep = NULL;
34 }
35 }
36+
37+ /*
38+ * Prevent entity exponential check, not just replacement while
39+ * parsing the DTD
40+ * The check is potentially costly so do that only once in a thousand
41+ */
42+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
43+ (ctxt->nbentities % 1024 == 0)) {
44+ for (i = 0;i < ctxt->inputNr;i++) {
45+ consumed += ctxt->inputTab[i]->consumed +
46+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
47+ }
48+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
49+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
50+ ctxt->instate = XML_PARSER_EOF;
51+ return (1);
52+ }
53+ consumed = 0;
54+ }
55+
56+
57+
58 if (replacement != 0) {
59 if (replacement < XML_MAX_TEXT_LENGTH)
60 return(0);
61@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
62 xmlChar start[4];
63 xmlCharEncoding enc;
64
65+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
66+ return;
67+
68 if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
69 ((ctxt->options & XML_PARSE_NOENT) == 0) &&
70 ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
71--
72GitLab
73
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
new file mode 100644
index 0000000000..7fc243eec1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,98 @@
1From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 22 Feb 2022 11:51:08 +0100
4Subject: [PATCH] Fix --without-valid build
5
6Regressed in commit 652dd12a.
7---
8 valid.c | 58 ++++++++++++++++++++++++++++-----------------------------
9 1 file changed, 29 insertions(+), 29 deletions(-)
10---
11
12From https://github.com/GNOME/libxml2.git
13 commit 646fe48d1c8a74310c409ddf81fe7df6700052af
14
15CVE: CVE-2022-23308
16Upstream-Status: Backport
17
18Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
19
20diff --git a/valid.c b/valid.c
21index 8e596f1d..9684683a 100644
22--- a/valid.c
23+++ b/valid.c
24@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
25 return (ret);
26 }
27
28-/**
29- * xmlValidNormalizeString:
30- * @str: a string
31- *
32- * Normalize a string in-place.
33- */
34-static void
35-xmlValidNormalizeString(xmlChar *str) {
36- xmlChar *dst;
37- const xmlChar *src;
38-
39- if (str == NULL)
40- return;
41- src = str;
42- dst = str;
43-
44- while (*src == 0x20) src++;
45- while (*src != 0) {
46- if (*src == 0x20) {
47- while (*src == 0x20) src++;
48- if (*src != 0)
49- *dst++ = 0x20;
50- } else {
51- *dst++ = *src++;
52- }
53- }
54- *dst = 0;
55-}
56-
57 #ifdef DEBUG_VALID_ALGO
58 static void
59 xmlValidPrintNode(xmlNodePtr cur) {
60@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
61 (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
62 xmlFree((char *)(str));
63
64+/**
65+ * xmlValidNormalizeString:
66+ * @str: a string
67+ *
68+ * Normalize a string in-place.
69+ */
70+static void
71+xmlValidNormalizeString(xmlChar *str) {
72+ xmlChar *dst;
73+ const xmlChar *src;
74+
75+ if (str == NULL)
76+ return;
77+ src = str;
78+ dst = str;
79+
80+ while (*src == 0x20) src++;
81+ while (*src != 0) {
82+ if (*src == 0x20) {
83+ while (*src == 0x20) src++;
84+ if (*src != 0)
85+ *dst++ = 0x20;
86+ } else {
87+ *dst++ = *src++;
88+ }
89+ }
90+ *dst = 0;
91+}
92+
93 static int
94 xmlIsStreaming(xmlValidCtxtPtr ctxt) {
95 xmlParserCtxtPtr pctxt;
96--
972.35.1
98
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..bf5604e81a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,204 @@
1From 8b66850de350f0fcd786ae776a65ba15a5999e50 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 8 Feb 2022 03:29:24 +0100
4Subject: [PATCH] Use-after-free of ID and IDREF attributes
5
6If a document is parsed with XML_PARSE_DTDVALID and without
7XML_PARSE_NOENT, the value of ID attributes has to be normalized after
8potentially expanding entities in xmlRemoveID. Otherwise, later calls
9to xmlGetID can return a pointer to previously freed memory.
10
11ID attributes which are empty or contain only whitespace after
12entity expansion are affected in a similar way. This is fixed by
13not storing such attributes in the ID table.
14
15The test to detect streaming mode when validating against a DTD was
16broken. In connection with the defects above, this could result in a
17use-after-free when using the xmlReader interface with validation.
18Fix detection of streaming mode to avoid similar issues. (This changes
19the expected result of a test case. But as far as I can tell, using the
20XML reader with XIncludes referencing the root document never worked
21properly, anyway.)
22
23All of these issues can result in denial of service. Using xmlReader
24with validation could result in disclosure of memory via the error
25channel, typically stderr. The security impact of xmlGetID returning
26a pointer to freed memory depends on the application. The typical use
27case of calling xmlGetID on an unmodified document is not affected.
28
29Upstream-Status: Backport
30[https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e]
31
32The upstream patch 652dd12a858989b14eed4e84e453059cd3ba340e has been modified
33to skip the patch to the testsuite result (result/XInclude/ns1.xml.rdr), as
34this particular test does not exist in v2.9.10 (it was added later).
35
36CVE: CVE-2022-23308
37Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
38
39---
40 valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
41 1 file changed, 55 insertions(+), 33 deletions(-)
42
43diff --git a/valid.c b/valid.c
44index 07963e7..ee75311 100644
45--- a/valid.c
46+++ b/valid.c
47@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
48 return (ret);
49 }
50
51+/**
52+ * xmlValidNormalizeString:
53+ * @str: a string
54+ *
55+ * Normalize a string in-place.
56+ */
57+static void
58+xmlValidNormalizeString(xmlChar *str) {
59+ xmlChar *dst;
60+ const xmlChar *src;
61+
62+ if (str == NULL)
63+ return;
64+ src = str;
65+ dst = str;
66+
67+ while (*src == 0x20) src++;
68+ while (*src != 0) {
69+ if (*src == 0x20) {
70+ while (*src == 0x20) src++;
71+ if (*src != 0)
72+ *dst++ = 0x20;
73+ } else {
74+ *dst++ = *src++;
75+ }
76+ }
77+ *dst = 0;
78+}
79+
80 #ifdef DEBUG_VALID_ALGO
81 static void
82 xmlValidPrintNode(xmlNodePtr cur) {
83@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
84 (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
85 xmlFree((char *)(str));
86
87+static int
88+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
89+ xmlParserCtxtPtr pctxt;
90+
91+ if (ctxt == NULL)
92+ return(0);
93+ /*
94+ * These magic values are also abused to detect whether we're validating
95+ * while parsing a document. In this case, userData points to the parser
96+ * context.
97+ */
98+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
99+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
100+ return(0);
101+ pctxt = ctxt->userData;
102+ return(pctxt->parseMode == XML_PARSE_READER);
103+}
104+
105 /**
106 * xmlFreeID:
107 * @not: A id
108@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
109 if (doc == NULL) {
110 return(NULL);
111 }
112- if (value == NULL) {
113+ if ((value == NULL) || (value[0] == 0)) {
114 return(NULL);
115 }
116 if (attr == NULL) {
117@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
118 */
119 ret->value = xmlStrdup(value);
120 ret->doc = doc;
121- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
122+ if (xmlIsStreaming(ctxt)) {
123 /*
124 * Operating in streaming mode, attr is gonna disappear
125 */
126@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
127 ID = xmlNodeListGetString(doc, attr->children, 1);
128 if (ID == NULL)
129 return(-1);
130+ xmlValidNormalizeString(ID);
131
132 id = xmlHashLookup(table, ID);
133 if (id == NULL || id->attr != attr) {
134@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
135 * fill the structure.
136 */
137 ret->value = xmlStrdup(value);
138- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
139+ if (xmlIsStreaming(ctxt)) {
140 /*
141 * Operating in streaming mode, attr is gonna disappear
142 */
143@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
144 xmlChar *
145 xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
146 xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
147- xmlChar *ret, *dst;
148- const xmlChar *src;
149+ xmlChar *ret;
150 xmlAttributePtr attrDecl = NULL;
151 int extsubset = 0;
152
153@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
154 ret = xmlStrdup(value);
155 if (ret == NULL)
156 return(NULL);
157- src = value;
158- dst = ret;
159- while (*src == 0x20) src++;
160- while (*src != 0) {
161- if (*src == 0x20) {
162- while (*src == 0x20) src++;
163- if (*src != 0)
164- *dst++ = 0x20;
165- } else {
166- *dst++ = *src++;
167- }
168- }
169- *dst = 0;
170+ xmlValidNormalizeString(ret);
171 if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
172 xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
173 "standalone: %s on %s value had to be normalized based on external subset declaration\n",
174@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
175 xmlChar *
176 xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
177 const xmlChar *name, const xmlChar *value) {
178- xmlChar *ret, *dst;
179- const xmlChar *src;
180+ xmlChar *ret;
181 xmlAttributePtr attrDecl = NULL;
182
183 if (doc == NULL) return(NULL);
184@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
185 ret = xmlStrdup(value);
186 if (ret == NULL)
187 return(NULL);
188- src = value;
189- dst = ret;
190- while (*src == 0x20) src++;
191- while (*src != 0) {
192- if (*src == 0x20) {
193- while (*src == 0x20) src++;
194- if (*src != 0)
195- *dst++ = 0x20;
196- } else {
197- *dst++ = *src++;
198- }
199- }
200- *dst = 0;
201+ xmlValidNormalizeString(ret);
202 return(ret);
203 }
204
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
new file mode 100644
index 0000000000..63d613cc21
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
@@ -0,0 +1,53 @@
1From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 10 Jan 2020 15:55:07 +0100
4Subject: [PATCH] Fix integer overflow in xmlBufferResize
5
6Found by OSS-Fuzz.
7
8CVE: CVE-2022-29824
9
10Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
11
12Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
13
14---
15 tree.c | 9 +++++++--
16 1 file changed, 7 insertions(+), 2 deletions(-)
17
18diff --git a/tree.c b/tree.c
19index 0d7fc98c..f43f6de1 100644
20--- a/tree.c
21+++ b/tree.c
22@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
23 if (size < buf->size)
24 return 1;
25
26+ if (size > UINT_MAX - 10) {
27+ xmlTreeErrMemory("growing buffer");
28+ return 0;
29+ }
30+
31 /* figure out new size */
32 switch (buf->alloc){
33 case XML_BUFFER_ALLOC_IO:
34 case XML_BUFFER_ALLOC_DOUBLEIT:
35 /*take care of empty case*/
36- newSize = (buf->size ? buf->size*2 : size + 10);
37+ newSize = (buf->size ? buf->size : size + 10);
38 while (size > newSize) {
39 if (newSize > UINT_MAX / 2) {
40 xmlTreeErrMemory("growing buffer");
41@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
42 if (buf->use < BASE_BUFFER_SIZE)
43 newSize = size;
44 else {
45- newSize = buf->size * 2;
46+ newSize = buf->size;
47 while (size > newSize) {
48 if (newSize > UINT_MAX / 2) {
49 xmlTreeErrMemory("growing buffer");
50--
51GitLab
52
53
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
new file mode 100644
index 0000000000..ad7b87dbc6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
@@ -0,0 +1,348 @@
1From 2554a2408e09f13652049e5ffb0d26196b02ebab Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 8 Mar 2022 20:10:02 +0100
4Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and
5 xmlBuffer
6
7In several places, the code handling string buffers didn't check for
8integer overflow or used wrong types for buffer sizes. This could
9result in out-of-bounds writes or other memory errors when working on
10large, multi-gigabyte buffers.
11
12Thanks to Felix Wilhelm for the report.
13
14CVE: CVE-2022-29824
15
16Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab]
17
18Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
19
20---
21 buf.c | 86 +++++++++++++++++++++++-----------------------------------
22 tree.c | 72 ++++++++++++++++++------------------------------
23 2 files changed, 61 insertions(+), 97 deletions(-)
24
25diff --git a/buf.c b/buf.c
26index 24368d37..40a5ee06 100644
27--- a/buf.c
28+++ b/buf.c
29@@ -30,6 +30,10 @@
30 #include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
31 #include "buf.h"
32
33+#ifndef SIZE_MAX
34+#define SIZE_MAX ((size_t) -1)
35+#endif
36+
37 #define WITH_BUFFER_COMPAT
38
39 /**
40@@ -156,6 +160,8 @@ xmlBufPtr
41 xmlBufCreateSize(size_t size) {
42 xmlBufPtr ret;
43
44+ if (size == SIZE_MAX)
45+ return(NULL);
46 ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
47 if (ret == NULL) {
48 xmlBufMemoryError(NULL, "creating buffer");
49@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
50 ret->error = 0;
51 ret->buffer = NULL;
52 ret->alloc = xmlBufferAllocScheme;
53- ret->size = (size ? size+2 : 0); /* +1 for ending null */
54- ret->compat_size = (int) ret->size;
55+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
56+ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
57 if (ret->size){
58 ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
59 if (ret->content == NULL) {
60@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
61 CHECK_COMPAT(buf)
62
63 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
64- if (buf->use + len < buf->size)
65+ if (len < buf->size - buf->use)
66 return(buf->size - buf->use);
67+ if (len > SIZE_MAX - buf->use)
68+ return(0);
69
70- /*
71- * Windows has a BIG problem on realloc timing, so we try to double
72- * the buffer size (if that's enough) (bug 146697)
73- * Apparently BSD too, and it's probably best for linux too
74- * On an embedded system this may be something to change
75- */
76-#if 1
77- if (buf->size > (size_t) len)
78- size = buf->size * 2;
79- else
80- size = buf->use + len + 100;
81-#else
82- size = buf->use + len + 100;
83-#endif
84+ if (buf->size > (size_t) len) {
85+ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
86+ } else {
87+ size = buf->use + len;
88+ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
89+ }
90
91 if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
92 /*
93@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
94 int
95 xmlBufResize(xmlBufPtr buf, size_t size)
96 {
97- unsigned int newSize;
98+ size_t newSize;
99 xmlChar* rebuf = NULL;
100 size_t start_buf;
101
102@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
103 case XML_BUFFER_ALLOC_IO:
104 case XML_BUFFER_ALLOC_DOUBLEIT:
105 /*take care of empty case*/
106- newSize = (buf->size ? buf->size*2 : size + 10);
107+ if (buf->size == 0) {
108+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
109+ } else {
110+ newSize = buf->size;
111+ }
112 while (size > newSize) {
113- if (newSize > UINT_MAX / 2) {
114+ if (newSize > SIZE_MAX / 2) {
115 xmlBufMemoryError(buf, "growing buffer");
116 return 0;
117 }
118@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
119 }
120 break;
121 case XML_BUFFER_ALLOC_EXACT:
122- newSize = size+10;
123+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
124 break;
125 case XML_BUFFER_ALLOC_HYBRID:
126 if (buf->use < BASE_BUFFER_SIZE)
127 newSize = size;
128 else {
129- newSize = buf->size * 2;
130+ newSize = buf->size;
131 while (size > newSize) {
132- if (newSize > UINT_MAX / 2) {
133+ if (newSize > SIZE_MAX / 2) {
134 xmlBufMemoryError(buf, "growing buffer");
135 return 0;
136 }
137@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
138 break;
139
140 default:
141- newSize = size+10;
142+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
143 break;
144 }
145
146@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
147 */
148 int
149 xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
150- unsigned int needSize;
151+ size_t needSize;
152
153 if ((str == NULL) || (buf == NULL) || (buf->error))
154 return -1;
155@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
156 if (len < 0) return -1;
157 if (len == 0) return 0;
158
159- needSize = buf->use + len + 2;
160- if (needSize > buf->size){
161+ if ((size_t) len >= buf->size - buf->use) {
162+ if ((size_t) len >= SIZE_MAX - buf->use)
163+ return(-1);
164+ needSize = buf->use + len + 1;
165 if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
166 /*
167 * Used to provide parsing limits
168@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
169 */
170 int
171 xmlBufCCat(xmlBufPtr buf, const char *str) {
172- const char *cur;
173-
174- if ((buf == NULL) || (buf->error))
175- return(-1);
176- CHECK_COMPAT(buf)
177- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
178- if (str == NULL) {
179-#ifdef DEBUG_BUFFER
180- xmlGenericError(xmlGenericErrorContext,
181- "xmlBufCCat: str == NULL\n");
182-#endif
183- return -1;
184- }
185- for (cur = str;*cur != 0;cur++) {
186- if (buf->use + 10 >= buf->size) {
187- if (!xmlBufResize(buf, buf->use+10)){
188- xmlBufMemoryError(buf, "growing buffer");
189- return XML_ERR_NO_MEMORY;
190- }
191- }
192- buf->content[buf->use++] = *cur;
193- }
194- buf->content[buf->use] = 0;
195- UPDATE_COMPAT(buf)
196- return 0;
197+ return xmlBufCat(buf, (const xmlChar *) str);
198 }
199
200 /**
201diff --git a/tree.c b/tree.c
202index 9d94aa42..86afb7d6 100644
203--- a/tree.c
204+++ b/tree.c
205@@ -7104,6 +7104,8 @@ xmlBufferPtr
206 xmlBufferCreateSize(size_t size) {
207 xmlBufferPtr ret;
208
209+ if (size >= UINT_MAX)
210+ return(NULL);
211 ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
212 if (ret == NULL) {
213 xmlTreeErrMemory("creating buffer");
214@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
215 }
216 ret->use = 0;
217 ret->alloc = xmlBufferAllocScheme;
218- ret->size = (size ? size+2 : 0); /* +1 for ending null */
219+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
220 if (ret->size){
221 ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
222 if (ret->content == NULL) {
223@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
224
225 if ((mem == NULL) || (size == 0))
226 return(NULL);
227+ if (size > UINT_MAX)
228+ return(NULL);
229
230 ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
231 if (ret == NULL) {
232@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
233 */
234 int
235 xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
236- int size;
237+ unsigned int size;
238 xmlChar *newbuf;
239
240 if (buf == NULL) return(-1);
241
242 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
243- if (len + buf->use < buf->size) return(0);
244+ if (len < buf->size - buf->use)
245+ return(0);
246+ if (len > UINT_MAX - buf->use)
247+ return(-1);
248
249- /*
250- * Windows has a BIG problem on realloc timing, so we try to double
251- * the buffer size (if that's enough) (bug 146697)
252- * Apparently BSD too, and it's probably best for linux too
253- * On an embedded system this may be something to change
254- */
255-#if 1
256- if (buf->size > len)
257- size = buf->size * 2;
258- else
259- size = buf->use + len + 100;
260-#else
261- size = buf->use + len + 100;
262-#endif
263+ if (buf->size > (size_t) len) {
264+ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
265+ } else {
266+ size = buf->use + len;
267+ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
268+ }
269
270 if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
271 size_t start_buf = buf->content - buf->contentIO;
272@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
273 case XML_BUFFER_ALLOC_IO:
274 case XML_BUFFER_ALLOC_DOUBLEIT:
275 /*take care of empty case*/
276- newSize = (buf->size ? buf->size : size + 10);
277+ if (buf->size == 0)
278+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
279+ else
280+ newSize = buf->size;
281 while (size > newSize) {
282 if (newSize > UINT_MAX / 2) {
283 xmlTreeErrMemory("growing buffer");
284@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
285 }
286 break;
287 case XML_BUFFER_ALLOC_EXACT:
288- newSize = size+10;
289+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
290 break;
291 case XML_BUFFER_ALLOC_HYBRID:
292 if (buf->use < BASE_BUFFER_SIZE)
293@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
294 break;
295
296 default:
297- newSize = size+10;
298+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
299 break;
300 }
301
302@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
303 if (len < 0) return -1;
304 if (len == 0) return 0;
305
306- needSize = buf->use + len + 2;
307- if (needSize > buf->size){
308+ if ((unsigned) len >= buf->size - buf->use) {
309+ if ((unsigned) len >= UINT_MAX - buf->use)
310+ return XML_ERR_NO_MEMORY;
311+ needSize = buf->use + len + 1;
312 if (!xmlBufferResize(buf, needSize)){
313 xmlTreeErrMemory("growing buffer");
314 return XML_ERR_NO_MEMORY;
315@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
316 */
317 int
318 xmlBufferCCat(xmlBufferPtr buf, const char *str) {
319- const char *cur;
320-
321- if (buf == NULL)
322- return(-1);
323- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
324- if (str == NULL) {
325-#ifdef DEBUG_BUFFER
326- xmlGenericError(xmlGenericErrorContext,
327- "xmlBufferCCat: str == NULL\n");
328-#endif
329- return -1;
330- }
331- for (cur = str;*cur != 0;cur++) {
332- if (buf->use + 10 >= buf->size) {
333- if (!xmlBufferResize(buf, buf->use+10)){
334- xmlTreeErrMemory("growing buffer");
335- return XML_ERR_NO_MEMORY;
336- }
337- }
338- buf->content[buf->use++] = *cur;
339- }
340- buf->content[buf->use] = 0;
341- return 0;
342+ return xmlBufferCat(buf, (const xmlChar *) str);
343 }
344
345 /**
346--
347GitLab
348
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
new file mode 100644
index 0000000000..bdb9e9eb7a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
1From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 25 Aug 2022 17:43:08 +0200
4Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
5
6Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
7to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
8XML_MAX_HUGE_LENGTH (1 billion bytes).
9
10Move some the length checks to the end of the respective loop to make
11them strict.
12
13xmlParseEntityValue didn't have a length limitation at all. But without
14XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
15
16Thanks to Maddie Stone working with Google Project Zero for the report!
17
18CVE: CVE-2022-40303
19Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
20Comments: Refreshed hunk
21
22Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
23---
24 parser.c | 233 +++++++++++++++++++++++++++++--------------------------
25 1 file changed, 121 insertions(+), 112 deletions(-)
26
27diff --git a/parser.c b/parser.c
28index 93f031be..79479979 100644
29--- a/parser.c
30+++ b/parser.c
31@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
32 * *
33 ************************************************************************/
34
35+#define XML_MAX_HUGE_LENGTH 1000000000
36+
37 #define XML_PARSER_BIG_ENTITY 1000
38 #define XML_PARSER_LOT_ENTITY 5000
39
40@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
41 errmsg = "Malformed declaration expecting version";
42 break;
43 case XML_ERR_NAME_TOO_LONG:
44- errmsg = "Name too long use XML_PARSE_HUGE option";
45+ errmsg = "Name too long";
46 break;
47 #if 0
48 case:
49@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
50 int len = 0, l;
51 int c;
52 int count = 0;
53+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
54+ XML_MAX_TEXT_LENGTH :
55+ XML_MAX_NAME_LENGTH;
56
57 #ifdef DEBUG
58 nbParseNameComplex++;
59@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
60 if (ctxt->instate == XML_PARSER_EOF)
61 return(NULL);
62 }
63- len += l;
64+ if (len <= INT_MAX - l)
65+ len += l;
66 NEXTL(l);
67 c = CUR_CHAR(l);
68 }
69@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
70 if (ctxt->instate == XML_PARSER_EOF)
71 return(NULL);
72 }
73- len += l;
74+ if (len <= INT_MAX - l)
75+ len += l;
76 NEXTL(l);
77 c = CUR_CHAR(l);
78 }
79 }
80- if ((len > XML_MAX_NAME_LENGTH) &&
81- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
82+ if (len > maxLength) {
83 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
84 return(NULL);
85 }
86@@ -3338,7 +3344,10 @@ const xmlChar *
87 xmlParseName(xmlParserCtxtPtr ctxt) {
88 const xmlChar *in;
89 const xmlChar *ret;
90- int count = 0;
91+ size_t count = 0;
92+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
93+ XML_MAX_TEXT_LENGTH :
94+ XML_MAX_NAME_LENGTH;
95
96 GROW;
97
98@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
99 in++;
100 if ((*in > 0) && (*in < 0x80)) {
101 count = in - ctxt->input->cur;
102- if ((count > XML_MAX_NAME_LENGTH) &&
103- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
104+ if (count > maxLength) {
105 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
106 return(NULL);
107 }
108@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
109 int len = 0, l;
110 int c;
111 int count = 0;
112+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
113+ XML_MAX_TEXT_LENGTH :
114+ XML_MAX_NAME_LENGTH;
115 size_t startPosition = 0;
116
117 #ifdef DEBUG
118@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
119 while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
120 (xmlIsNameChar(ctxt, c) && (c != ':'))) {
121 if (count++ > XML_PARSER_CHUNK_SIZE) {
122- if ((len > XML_MAX_NAME_LENGTH) &&
123- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
124- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
125- return(NULL);
126- }
127 count = 0;
128 GROW;
129 if (ctxt->instate == XML_PARSER_EOF)
130 return(NULL);
131 }
132- len += l;
133+ if (len <= INT_MAX - l)
134+ len += l;
135 NEXTL(l);
136 c = CUR_CHAR(l);
137 if (c == 0) {
138@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
139 c = CUR_CHAR(l);
140 }
141 }
142- if ((len > XML_MAX_NAME_LENGTH) &&
143- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
144+ if (len > maxLength) {
145 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
146 return(NULL);
147 }
148@@ -3459,7 +3465,10 @@ static const xmlChar *
149 xmlParseNCName(xmlParserCtxtPtr ctxt) {
150 const xmlChar *in, *e;
151 const xmlChar *ret;
152- int count = 0;
153+ size_t count = 0;
154+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
155+ XML_MAX_TEXT_LENGTH :
156+ XML_MAX_NAME_LENGTH;
157
158 #ifdef DEBUG
159 nbParseNCName++;
160@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
161 goto complex;
162 if ((*in > 0) && (*in < 0x80)) {
163 count = in - ctxt->input->cur;
164- if ((count > XML_MAX_NAME_LENGTH) &&
165- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
166+ if (count > maxLength) {
167 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
168 return(NULL);
169 }
170@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
171 const xmlChar *cur = *str;
172 int len = 0, l;
173 int c;
174+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
175+ XML_MAX_TEXT_LENGTH :
176+ XML_MAX_NAME_LENGTH;
177
178 #ifdef DEBUG
179 nbParseStringName++;
180@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
181 if (len + 10 > max) {
182 xmlChar *tmp;
183
184- if ((len > XML_MAX_NAME_LENGTH) &&
185- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
186- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
187- xmlFree(buffer);
188- return(NULL);
189- }
190 max *= 2;
191 tmp = (xmlChar *) xmlRealloc(buffer,
192 max * sizeof(xmlChar));
193@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
194 COPY_BUF(l,buffer,len,c);
195 cur += l;
196 c = CUR_SCHAR(cur, l);
197+ if (len > maxLength) {
198+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
199+ xmlFree(buffer);
200+ return(NULL);
201+ }
202 }
203 buffer[len] = 0;
204 *str = cur;
205 return(buffer);
206 }
207 }
208- if ((len > XML_MAX_NAME_LENGTH) &&
209- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
210+ if (len > maxLength) {
211 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
212 return(NULL);
213 }
214@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
215 int len = 0, l;
216 int c;
217 int count = 0;
218+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
219+ XML_MAX_TEXT_LENGTH :
220+ XML_MAX_NAME_LENGTH;
221
222 #ifdef DEBUG
223 nbParseNmToken++;
224@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
225 if (len + 10 > max) {
226 xmlChar *tmp;
227
228- if ((max > XML_MAX_NAME_LENGTH) &&
229- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
230- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
231- xmlFree(buffer);
232- return(NULL);
233- }
234 max *= 2;
235 tmp = (xmlChar *) xmlRealloc(buffer,
236 max * sizeof(xmlChar));
237@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
238 COPY_BUF(l,buffer,len,c);
239 NEXTL(l);
240 c = CUR_CHAR(l);
241+ if (len > maxLength) {
242+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
243+ xmlFree(buffer);
244+ return(NULL);
245+ }
246 }
247 buffer[len] = 0;
248 return(buffer);
249@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
250 }
251 if (len == 0)
252 return(NULL);
253- if ((len > XML_MAX_NAME_LENGTH) &&
254- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
255+ if (len > maxLength) {
256 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
257 return(NULL);
258 }
259@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
260 int len = 0;
261 int size = XML_PARSER_BUFFER_SIZE;
262 int c, l;
263+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
264+ XML_MAX_HUGE_LENGTH :
265+ XML_MAX_TEXT_LENGTH;
266 xmlChar stop;
267 xmlChar *ret = NULL;
268 const xmlChar *cur = NULL;
269@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
270 GROW;
271 c = CUR_CHAR(l);
272 }
273+
274+ if (len > maxLength) {
275+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
276+ "entity value too long\n");
277+ goto error;
278+ }
279 }
280 buf[len] = 0;
281 if (ctxt->instate == XML_PARSER_EOF)
282@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
283 xmlChar *rep = NULL;
284 size_t len = 0;
285 size_t buf_size = 0;
286+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
287+ XML_MAX_HUGE_LENGTH :
288+ XML_MAX_TEXT_LENGTH;
289 int c, l, in_space = 0;
290 xmlChar *current = NULL;
291 xmlEntityPtr ent;
292@@ -3925,16 +3925,6 @@
293 while (((NXT(0) != limit) && /* checked */
294 (IS_CHAR(c)) && (c != '<')) &&
295 (ctxt->instate != XML_PARSER_EOF)) {
296- /*
297- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
298- * special option is given
299- */
300- if ((len > XML_MAX_TEXT_LENGTH) &&
301- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
302- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
303- "AttValue length too long\n");
304- goto mem_error;
305- }
306 if (c == 0) break;
307 if (c == '&') {
308 in_space = 0;
309@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
310 }
311 GROW;
312 c = CUR_CHAR(l);
313+ if (len > maxLength) {
314+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
315+ "AttValue length too long\n");
316+ goto mem_error;
317+ }
318 }
319 if (ctxt->instate == XML_PARSER_EOF)
320 goto error;
321@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
322 } else
323 NEXT;
324
325- /*
326- * There we potentially risk an overflow, don't allow attribute value of
327- * length more than INT_MAX it is a very reasonable assumption !
328- */
329- if (len >= INT_MAX) {
330- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
331- "AttValue length too long\n");
332- goto mem_error;
333- }
334-
335 if (attlen != NULL) *attlen = (int) len;
336 return(buf);
337
338@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
339 int len = 0;
340 int size = XML_PARSER_BUFFER_SIZE;
341 int cur, l;
342+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
343+ XML_MAX_TEXT_LENGTH :
344+ XML_MAX_NAME_LENGTH;
345 xmlChar stop;
346 int state = ctxt->instate;
347 int count = 0;
348@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
349 if (len + 5 >= size) {
350 xmlChar *tmp;
351
352- if ((size > XML_MAX_NAME_LENGTH) &&
353- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
354- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
355- xmlFree(buf);
356- ctxt->instate = (xmlParserInputState) state;
357- return(NULL);
358- }
359 size *= 2;
360 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
361 if (tmp == NULL) {
362@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
363 SHRINK;
364 cur = CUR_CHAR(l);
365 }
366+ if (len > maxLength) {
367+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
368+ xmlFree(buf);
369+ ctxt->instate = (xmlParserInputState) state;
370+ return(NULL);
371+ }
372 }
373 buf[len] = 0;
374 ctxt->instate = (xmlParserInputState) state;
375@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
376 xmlChar *buf = NULL;
377 int len = 0;
378 int size = XML_PARSER_BUFFER_SIZE;
379+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
380+ XML_MAX_TEXT_LENGTH :
381+ XML_MAX_NAME_LENGTH;
382 xmlChar cur;
383 xmlChar stop;
384 int count = 0;
385@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
386 if (len + 1 >= size) {
387 xmlChar *tmp;
388
389- if ((size > XML_MAX_NAME_LENGTH) &&
390- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
391- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
392- xmlFree(buf);
393- return(NULL);
394- }
395 size *= 2;
396 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
397 if (tmp == NULL) {
398@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
399 SHRINK;
400 cur = CUR;
401 }
402+ if (len > maxLength) {
403+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
404+ xmlFree(buf);
405+ return(NULL);
406+ }
407 }
408 buf[len] = 0;
409 if (cur != stop) {
410@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
411 int r, rl;
412 int cur, l;
413 size_t count = 0;
414+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
415+ XML_MAX_HUGE_LENGTH :
416+ XML_MAX_TEXT_LENGTH;
417 int inputid;
418
419 inputid = ctxt->input->id;
420@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
421 if ((r == '-') && (q == '-')) {
422 xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
423 }
424- if ((len > XML_MAX_TEXT_LENGTH) &&
425- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
426- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
427- "Comment too big found", NULL);
428- xmlFree (buf);
429- return;
430- }
431 if (len + 5 >= size) {
432 xmlChar *new_buf;
433 size_t new_size;
434@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
435 GROW;
436 cur = CUR_CHAR(l);
437 }
438+
439+ if (len > maxLength) {
440+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
441+ "Comment too big found", NULL);
442+ xmlFree (buf);
443+ return;
444+ }
445 }
446 buf[len] = 0;
447 if (cur == 0) {
448@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
449 xmlChar *buf = NULL;
450 size_t size = XML_PARSER_BUFFER_SIZE;
451 size_t len = 0;
452+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
453+ XML_MAX_HUGE_LENGTH :
454+ XML_MAX_TEXT_LENGTH;
455 xmlParserInputState state;
456 const xmlChar *in;
457 size_t nbchar = 0;
458@@ -4958,8 +4975,7 @@ get_more:
459 buf[len] = 0;
460 }
461 }
462- if ((len > XML_MAX_TEXT_LENGTH) &&
463- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
464+ if (len > maxLength) {
465 xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
466 "Comment too big found", NULL);
467 xmlFree (buf);
468@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
469 xmlChar *buf = NULL;
470 size_t len = 0;
471 size_t size = XML_PARSER_BUFFER_SIZE;
472+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
473+ XML_MAX_HUGE_LENGTH :
474+ XML_MAX_TEXT_LENGTH;
475 int cur, l;
476 const xmlChar *target;
477 xmlParserInputState state;
478@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
479 return;
480 }
481 count = 0;
482- if ((len > XML_MAX_TEXT_LENGTH) &&
483- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
484- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
485- "PI %s too big found", target);
486- xmlFree(buf);
487- ctxt->instate = state;
488- return;
489- }
490 }
491 COPY_BUF(l,buf,len,cur);
492 NEXTL(l);
493@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
494 GROW;
495 cur = CUR_CHAR(l);
496 }
497+ if (len > maxLength) {
498+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
499+ "PI %s too big found", target);
500+ xmlFree(buf);
501+ ctxt->instate = state;
502+ return;
503+ }
504 }
505- if ((len > XML_MAX_TEXT_LENGTH) &&
506- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
507- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
508- "PI %s too big found", target);
509- xmlFree(buf);
510- ctxt->instate = state;
511- return;
512- }
513 buf[len] = 0;
514 if (cur != '?') {
515 xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
516@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
517 const xmlChar *in = NULL, *start, *end, *last;
518 xmlChar *ret = NULL;
519 int line, col;
520+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
521+ XML_MAX_HUGE_LENGTH :
522+ XML_MAX_TEXT_LENGTH;
523
524 GROW;
525 in = (xmlChar *) CUR_PTR;
526@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
527 start = in;
528 if (in >= end) {
529 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
530- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
531- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
532+ if ((in - start) > maxLength) {
533 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
534 "AttValue length too long\n");
535 return(NULL);
536@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
537 if ((*in++ == 0x20) && (*in == 0x20)) break;
538 if (in >= end) {
539 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
540- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
541- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
542+ if ((in - start) > maxLength) {
543 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
544 "AttValue length too long\n");
545 return(NULL);
546@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
547 last = last + delta;
548 }
549 end = ctxt->input->end;
550- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
551- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
552+ if ((in - start) > maxLength) {
553 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
554 "AttValue length too long\n");
555 return(NULL);
556 }
557 }
558 }
559- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
560- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
561+ if ((in - start) > maxLength) {
562 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
563 "AttValue length too long\n");
564 return(NULL);
565@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
566 col++;
567 if (in >= end) {
568 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
569- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
570- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
571+ if ((in - start) > maxLength) {
572 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
573 "AttValue length too long\n");
574 return(NULL);
575@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
576 }
577 }
578 last = in;
579- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
580- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
581+ if ((in - start) > maxLength) {
582 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
583 "AttValue length too long\n");
584 return(NULL);
585@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
586 int s, sl;
587 int cur, l;
588 int count = 0;
589+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
590+ XML_MAX_HUGE_LENGTH :
591+ XML_MAX_TEXT_LENGTH;
592
593 /* Check 2.6.0 was NXT(0) not RAW */
594 if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
595@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
596 if (len + 5 >= size) {
597 xmlChar *tmp;
598
599- if ((size > XML_MAX_TEXT_LENGTH) &&
600- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
601- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
602- "CData section too big found", NULL);
603- xmlFree (buf);
604- return;
605- }
606 tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
607 if (tmp == NULL) {
608 xmlFree(buf);
609@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
610 }
611 NEXTL(l);
612 cur = CUR_CHAR(l);
613+ if (len > maxLength) {
614+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
615+ "CData section too big found\n");
616+ xmlFree(buf);
617+ return;
618+ }
619 }
620 buf[len] = 0;
621 ctxt->instate = XML_PARSER_CONTENT;
622--
623GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
new file mode 100644
index 0000000000..c19726fe9f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
@@ -0,0 +1,104 @@
1From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 31 Aug 2022 22:11:25 +0200
4Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity
5 reference cycles
6
7When an entity reference cycle is detected, the entity content is
8cleared by setting its first byte to zero. But the entity content might
9be allocated from a dict. In this case, the dict entry becomes corrupted
10leading to all kinds of logic errors, including memory errors like
11double-frees.
12
13Stop storing entity content, orig, ExternalID and SystemID in a dict.
14These values are unlikely to occur multiple times in a document, so they
15shouldn't have been stored in a dict in the first place.
16
17Thanks to Ned Williamson and Nathan Wachholz working with Google Project
18Zero for the report!
19
20CVE: CVE-2022-40304
21Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b]
22Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
23---
24 entities.c | 55 ++++++++++++++++--------------------------------------
25 1 file changed, 16 insertions(+), 39 deletions(-)
26
27diff --git a/entities.c b/entities.c
28index 84435515..d4e5412e 100644
29--- a/entities.c
30+++ b/entities.c
31@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity)
32 if ((entity->children) && (entity->owner == 1) &&
33 (entity == (xmlEntityPtr) entity->children->parent))
34 xmlFreeNodeList(entity->children);
35- if (dict != NULL) {
36- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name)))
37- xmlFree((char *) entity->name);
38- if ((entity->ExternalID != NULL) &&
39- (!xmlDictOwns(dict, entity->ExternalID)))
40- xmlFree((char *) entity->ExternalID);
41- if ((entity->SystemID != NULL) &&
42- (!xmlDictOwns(dict, entity->SystemID)))
43- xmlFree((char *) entity->SystemID);
44- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI)))
45- xmlFree((char *) entity->URI);
46- if ((entity->content != NULL)
47- && (!xmlDictOwns(dict, entity->content)))
48- xmlFree((char *) entity->content);
49- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
50- xmlFree((char *) entity->orig);
51- } else {
52- if (entity->name != NULL)
53- xmlFree((char *) entity->name);
54- if (entity->ExternalID != NULL)
55- xmlFree((char *) entity->ExternalID);
56- if (entity->SystemID != NULL)
57- xmlFree((char *) entity->SystemID);
58- if (entity->URI != NULL)
59- xmlFree((char *) entity->URI);
60- if (entity->content != NULL)
61- xmlFree((char *) entity->content);
62- if (entity->orig != NULL)
63- xmlFree((char *) entity->orig);
64- }
65+ if ((entity->name != NULL) &&
66+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
67+ xmlFree((char *) entity->name);
68+ if (entity->ExternalID != NULL)
69+ xmlFree((char *) entity->ExternalID);
70+ if (entity->SystemID != NULL)
71+ xmlFree((char *) entity->SystemID);
72+ if (entity->URI != NULL)
73+ xmlFree((char *) entity->URI);
74+ if (entity->content != NULL)
75+ xmlFree((char *) entity->content);
76+ if (entity->orig != NULL)
77+ xmlFree((char *) entity->orig);
78 xmlFree(entity);
79 }
80
81@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
82 ret->SystemID = xmlStrdup(SystemID);
83 } else {
84 ret->name = xmlDictLookup(dict, name, -1);
85- if (ExternalID != NULL)
86- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1);
87- if (SystemID != NULL)
88- ret->SystemID = xmlDictLookup(dict, SystemID, -1);
89+ ret->ExternalID = xmlStrdup(ExternalID);
90+ ret->SystemID = xmlStrdup(SystemID);
91 }
92 if (content != NULL) {
93 ret->length = xmlStrlen(content);
94- if ((dict != NULL) && (ret->length < 5))
95- ret->content = (xmlChar *)
96- xmlDictLookup(dict, content, ret->length);
97- else
98- ret->content = xmlStrndup(content, ret->length);
99+ ret->content = xmlStrndup(content, ret->length);
100 } else {
101 ret->length = 0;
102 ret->content = NULL;
103--
104GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 0000000000..907f2c4d47
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
1From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 7 Apr 2023 11:46:35 +0200
4Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
5
6Fix a null pointer dereference when parsing (invalid) XML schemas.
7
8Thanks to Robby Simpson for the report!
9
10Fixes #491.
11
12CVE: CVE-2023-28484
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
14
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16---
17 result/schemas/issue491_0_0.err | 1 +
18 test/schemas/issue491_0.xml | 1 +
19 test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
20 xmlschemas.c | 2 +-
21 4 files changed, 21 insertions(+), 1 deletion(-)
22 create mode 100644 result/schemas/issue491_0_0.err
23 create mode 100644 test/schemas/issue491_0.xml
24 create mode 100644 test/schemas/issue491_0.xsd
25
26diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
27new file mode 100644
28index 00000000..9b2bb969
29--- /dev/null
30+++ b/result/schemas/issue491_0_0.err
31@@ -0,0 +1 @@
32+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
33diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
34new file mode 100644
35index 00000000..e2b2fc2e
36--- /dev/null
37+++ b/test/schemas/issue491_0.xml
38@@ -0,0 +1 @@
39+<Child xmlns="http://www.test.com">5</Child>
40diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
41new file mode 100644
42index 00000000..81702649
43--- /dev/null
44+++ b/test/schemas/issue491_0.xsd
45@@ -0,0 +1,18 @@
46+<?xml version='1.0' encoding='UTF-8'?>
47+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
48+ <xs:complexType name="BaseType">
49+ <xs:simpleContent>
50+ <xs:extension base="xs:int" />
51+ </xs:simpleContent>
52+ </xs:complexType>
53+ <xs:complexType name="ChildType">
54+ <xs:complexContent>
55+ <xs:extension base="BaseType">
56+ <xs:sequence>
57+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
58+ </xs:sequence>
59+ </xs:extension>
60+ </xs:complexContent>
61+ </xs:complexType>
62+ <xs:element name="Child" type="ChildType" />
63+</xs:schema>
64diff --git a/xmlschemas.c b/xmlschemas.c
65index 6a353858..a4eaf591 100644
66--- a/xmlschemas.c
67+++ b/xmlschemas.c
68@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
69 "allowed to appear inside other model groups",
70 NULL, NULL);
71
72- } else if (! dummySequence) {
73+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
74 xmlSchemaTreeItemPtr effectiveContent =
75 (xmlSchemaTreeItemPtr) type->subtypes;
76 /*
77--
78GitLab
79
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 0000000000..1252668577
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
1From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 7 Apr 2023 11:49:27 +0200
4Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
5 deterministic
6
7When hashing empty strings which aren't null-terminated,
8xmlDictComputeFastKey could produce inconsistent results. This could
9lead to various logic or memory errors, including double frees.
10
11For consistency the seed is also taken into account, but this shouldn't
12have an impact on security.
13
14Found by OSS-Fuzz.
15
16Fixes #510.
17
18CVE: CVE-2023-29469
19Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
20
21Signed-off-by: Peter Marko <peter.marko@siemens.com>
22---
23 dict.c | 3 ++-
24 1 file changed, 2 insertions(+), 1 deletion(-)
25
26diff --git a/dict.c b/dict.c
27index 86c3f6d7..d7fd1a06 100644
28--- a/dict.c
29+++ b/dict.c
30@@ -451,7 +451,8 @@ static unsigned long
31 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
32 unsigned long value = seed;
33
34- if (name == NULL) return(0);
35+ if ((name == NULL) || (namelen <= 0))
36+ return(value);
37 value = *name;
38 value <<= 5;
39 if (namelen > 10) {
40--
41GitLab
42
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
new file mode 100644
index 0000000000..9689cec67d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
@@ -0,0 +1,36 @@
1From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 6 May 2023 17:47:37 +0200
4Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
5
6For some reason, xmlCtxtUseOptionsInternal set the start and end element
7SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
8was specified. This means that custom SAX handlers could never work with
9that flag because these functions would receive the wrong user data
10argument and crash immediately.
11
12Fixes #535.
13
14Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9]
15CVE: CVE-2023-39615
16Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
17---
18 parser.c | 2 --
19 1 file changed, 2 deletions(-)
20
21diff --git a/parser.c b/parser.c
22index 6e09208..7814e6e 100644
23--- a/parser.c
24+++ b/parser.c
25@@ -15156,8 +15156,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
26 }
27 #ifdef LIBXML_SAX1_ENABLED
28 if (options & XML_PARSE_SAX1) {
29- ctxt->sax->startElement = xmlSAX2StartElement;
30- ctxt->sax->endElement = xmlSAX2EndElement;
31 ctxt->sax->startElementNs = NULL;
32 ctxt->sax->endElementNs = NULL;
33 ctxt->sax->initialized = 1;
34--
352.24.4
36
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
new file mode 100644
index 0000000000..ebd9868fac
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
@@ -0,0 +1,71 @@
1From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 8 May 2023 17:58:02 +0200
4Subject: [PATCH] SAX: Always initialize SAX1 element handlers
5
6Follow-up to commit d0c3f01e. A parser context will be initialized to
7SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
8so we must initialize the SAX1 element handlers as well.
9
10Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
11we don't switch to SAX1 if the SAX2 element handlers are NULL.
12
13Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129]
14CVE: CVE-2023-39615
15Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
16---
17 SAX2.c | 11 +++++++----
18 parser.c | 5 +----
19 2 files changed, 8 insertions(+), 8 deletions(-)
20
21diff --git a/SAX2.c b/SAX2.c
22index 5f141f9..902d34d 100644
23--- a/SAX2.c
24+++ b/SAX2.c
25@@ -2869,20 +2869,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version)
26 {
27 if (hdlr == NULL) return(-1);
28 if (version == 2) {
29- hdlr->startElement = NULL;
30- hdlr->endElement = NULL;
31 hdlr->startElementNs = xmlSAX2StartElementNs;
32 hdlr->endElementNs = xmlSAX2EndElementNs;
33 hdlr->serror = NULL;
34 hdlr->initialized = XML_SAX2_MAGIC;
35 #ifdef LIBXML_SAX1_ENABLED
36 } else if (version == 1) {
37- hdlr->startElement = xmlSAX2StartElement;
38- hdlr->endElement = xmlSAX2EndElement;
39 hdlr->initialized = 1;
40 #endif /* LIBXML_SAX1_ENABLED */
41 } else
42 return(-1);
43+#ifdef LIBXML_SAX1_ENABLED
44+ hdlr->startElement = xmlSAX2StartElement;
45+ hdlr->endElement = xmlSAX2EndElement;
46+#else
47+ hdlr->startElement = NULL;
48+ hdlr->endElement = NULL;
49+#endif /* LIBXML_SAX1_ENABLED */
50 hdlr->internalSubset = xmlSAX2InternalSubset;
51 hdlr->externalSubset = xmlSAX2ExternalSubset;
52 hdlr->isStandalone = xmlSAX2IsStandalone;
53diff --git a/parser.c b/parser.c
54index 7814e6e..cf0fb38 100644
55--- a/parser.c
56+++ b/parser.c
57@@ -1102,10 +1102,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
58 if (ctxt == NULL) return;
59 sax = ctxt->sax;
60 #ifdef LIBXML_SAX1_ENABLED
61- if ((sax) && (sax->initialized == XML_SAX2_MAGIC) &&
62- ((sax->startElementNs != NULL) ||
63- (sax->endElementNs != NULL) ||
64- ((sax->startElement == NULL) && (sax->endElement == NULL))))
65+ if ((sax) && (sax->initialized == XML_SAX2_MAGIC))
66 ctxt->sax2 = 1;
67 #else
68 ctxt->sax2 = 1;
69--
702.24.4
71
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
new file mode 100644
index 0000000000..b177cdaba0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
@@ -0,0 +1,44 @@
1From 99fc048d7f7292c5ee18e44c400bd73bc63a47ed Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 14 Aug 2020 14:18:50 +0200
4Subject: [PATCH] Don't use SAX1 if all element handlers are NULL
5
6Running xmllint with "--sax --noout" installs a SAX2 handler with all
7callbacks set to NULL. In this case or similar situations, we don't want
8to switch to SAX1 parsing.
9
10Note: This patch is needed for "CVE-2023-39615-0002" patch to apply.
11Without this patch the build will fail with undefined sax error.
12
13Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/99fc048d7f7292c5ee18e44c400bd73bc63a47ed]
14Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
15---
16 parser.c | 10 +++++++---
17 1 file changed, 7 insertions(+), 3 deletions(-)
18
19diff --git a/parser.c b/parser.c
20index bb677b0..6e09208 100644
21--- a/parser.c
22+++ b/parser.c
23@@ -1098,11 +1098,15 @@ xmlHasFeature(xmlFeature feature)
24 */
25 static void
26 xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
27+ xmlSAXHandlerPtr sax;
28 if (ctxt == NULL) return;
29+ sax = ctxt->sax;
30 #ifdef LIBXML_SAX1_ENABLED
31- if ((ctxt->sax) && (ctxt->sax->initialized == XML_SAX2_MAGIC) &&
32- ((ctxt->sax->startElementNs != NULL) ||
33- (ctxt->sax->endElementNs != NULL))) ctxt->sax2 = 1;
34+ if ((sax) && (sax->initialized == XML_SAX2_MAGIC) &&
35+ ((sax->startElementNs != NULL) ||
36+ (sax->endElementNs != NULL) ||
37+ ((sax->startElement == NULL) && (sax->endElement == NULL))))
38+ ctxt->sax2 = 1;
39 #else
40 ctxt->sax2 = 1;
41 #endif /* LIBXML_SAX1_ENABLED */
42--
432.24.4
44
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
1From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 2 Nov 2022 15:44:42 +0100
4Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
5
6Found with libFuzzer, see #344.
7
8Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
9
10Signed-off-by: Peter Marko <peter.marko@siemens.com>
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 tree.c | 7 +++++--
14 1 file changed, 5 insertions(+), 2 deletions(-)
15
16diff --git a/tree.c b/tree.c
17index 507869efe..647288ce3 100644
18--- a/tree.c
19+++ b/tree.c
20@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
21 }
22 if (doc->intSubset == NULL) {
23 q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
24- if (q == NULL) return(NULL);
25+ if (q == NULL) goto error;
26 q->doc = doc;
27 q->parent = parent;
28 doc->intSubset = (xmlDtdPtr) q;
29@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
30 } else
31 #endif /* LIBXML_TREE_ENABLED */
32 q = xmlStaticCopyNode(node, doc, parent, 1);
33- if (q == NULL) return(NULL);
34+ if (q == NULL) goto error;
35 if (ret == NULL) {
36 q->prev = NULL;
37 ret = p = q;
38@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
39 node = node->next;
40 }
41 return(ret);
42+error:
43+ xmlFreeNodeList(ret);
44+ return(NULL);
45 }
46
47 /**
48--
49GitLab
50
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
1From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 23 Aug 2023 20:24:24 +0200
4Subject: [PATCH] tree: Fix copying of DTDs
5
6- Don't create multiple DTD nodes.
7- Fix UAF if malloc fails.
8- Skip DTD nodes if tree module is disabled.
9
10Fixes #583.
11
12CVE: CVE-2023-45322
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
14
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 tree.c | 31 ++++++++++++++++---------------
19 1 file changed, 16 insertions(+), 15 deletions(-)
20
21diff --git a/tree.c b/tree.c
22index 6c8a875b9..02c1b5791 100644
23--- a/tree.c
24+++ b/tree.c
25@@ -4471,29 +4471,28 @@ xmlNodePtr
26 xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
27 xmlNodePtr ret = NULL;
28 xmlNodePtr p = NULL,q;
29+ xmlDtdPtr newSubset = NULL;
30
31 while (node != NULL) {
32-#ifdef LIBXML_TREE_ENABLED
33 if (node->type == XML_DTD_NODE ) {
34- if (doc == NULL) {
35+#ifdef LIBXML_TREE_ENABLED
36+ if ((doc == NULL) || (doc->intSubset != NULL)) {
37 node = node->next;
38 continue;
39 }
40- if (doc->intSubset == NULL) {
41- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
42- if (q == NULL) goto error;
43- q->doc = doc;
44- q->parent = parent;
45- doc->intSubset = (xmlDtdPtr) q;
46- xmlAddChild(parent, q);
47- } else {
48- q = (xmlNodePtr) doc->intSubset;
49- xmlAddChild(parent, q);
50- }
51- } else
52+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
53+ if (q == NULL) goto error;
54+ q->doc = doc;
55+ q->parent = parent;
56+ newSubset = (xmlDtdPtr) q;
57+#else
58+ node = node->next;
59+ continue;
60 #endif /* LIBXML_TREE_ENABLED */
61+ } else {
62 q = xmlStaticCopyNode(node, doc, parent, 1);
63- if (q == NULL) goto error;
64+ if (q == NULL) goto error;
65+ }
66 if (ret == NULL) {
67 q->prev = NULL;
68 ret = p = q;
69@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
70 }
71 node = node->next;
72 }
73+ if (newSubset != NULL)
74+ doc->intSubset = newSubset;
75 return(ret);
76 error:
77 xmlFreeNodeList(ret);
78--
79GitLab
80
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
new file mode 100644
index 0000000000..31183399f8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
@@ -0,0 +1,38 @@
1From 31c6ce3b63f8a494ad9e31ca65187a73d8ad3508 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 9 Nov 2020 17:55:44 +0100
4Subject: [PATCH] Avoid call stack overflow with XML reader and recursive
5 XIncludes
6
7Don't process XIncludes in the result of another inclusion to avoid
8infinite recursion resulting in a call stack overflow.
9
10This is something the XInclude engine shouldn't allow but correct
11handling of intra-document includes would require major changes.
12
13Found by OSS-Fuzz.
14
15Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508]
16CVE: CVE-2024-25062 #Dependency Patch
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 xmlreader.c | 3 ++-
20 1 file changed, 2 insertions(+), 1 deletion(-)
21
22diff --git a/xmlreader.c b/xmlreader.c
23index 01adf74f4..72e40b032 100644
24--- a/xmlreader.c
25+++ b/xmlreader.c
26@@ -1585,7 +1585,8 @@ node_found:
27 /*
28 * Handle XInclude if asked for
29 */
30- if ((reader->xinclude) && (reader->node != NULL) &&
31+ if ((reader->xinclude) && (reader->in_xinclude == 0) &&
32+ (reader->node != NULL) &&
33 (reader->node->type == XML_ELEMENT_NODE) &&
34 (reader->node->ns != NULL) &&
35 ((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
36--
37GitLab
38
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
new file mode 100644
index 0000000000..5365d5546a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
@@ -0,0 +1,33 @@
1From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 14 Oct 2023 22:45:54 +0200
4Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
5 backtracking
6
7Fixes a use-after-free if XML Reader if used with DTD validation and
8XInclude expansion.
9
10Fixes #604.
11
12Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
13CVE: CVE-2024-25062
14Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
15---
16 xmlreader.c | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/xmlreader.c b/xmlreader.c
20index 979385a13..fefd68e0b 100644
21--- a/xmlreader.c
22+++ b/xmlreader.c
23@@ -1443,6 +1443,7 @@ node_found:
24 * Handle XInclude if asked for
25 */
26 if ((reader->xinclude) && (reader->in_xinclude == 0) &&
27+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
28 (reader->node != NULL) &&
29 (reader->node->type == XML_ELEMENT_NODE) &&
30 (reader->node->ns != NULL) &&
31--
32GitLab
33
diff --git a/meta/recipes-core/libxml/libxml2/runtest.patch b/meta/recipes-core/libxml/libxml2/runtest.patch
index 0dbb353c0f..c7a90cd3dc 100644
--- a/meta/recipes-core/libxml/libxml2/runtest.patch
+++ b/meta/recipes-core/libxml/libxml2/runtest.patch
@@ -1,28 +1,33 @@
1Add 'install-ptest' rule. Print a standard result line for 1From 6172ccd1e74bc181f5298f19e240234e12876abe Mon Sep 17 00:00:00 2001
2each test. 2From: Tony Tascioglu <tony.tascioglu@windriver.com>
3Date: Tue, 11 May 2021 11:57:46 -0400
4Subject: [PATCH] Add 'install-ptest' rule.
5
6Print a standard result line for each test.
3 7
4Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com> 8Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
5Signed-off-by: Andrej Valek <andrej.valek@siemens.com> 9Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
6Upstream-Status: Backport 10Upstream-Status: Pending
7 11
8Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 12Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
13Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
9--- 14---
10 Makefile.am | 9 ++++ 15 Makefile.am | 9 +++
11 runsuite.c | 1 + 16 runsuite.c | 1 +
12 runtest.c | 2 + 17 runtest.c | 2 +
13 runxmlconf.c | 1 + 18 runxmlconf.c | 1 +
14 testapi.c | 122 ++++++++++++++++++++++++++++++--------------- 19 testapi.c | 122 ++++++++++++++++++++++++++-------------
15 testchar.c | 156 +++++++++++++++++++++++++++++++++++++++++----------------- 20 testchar.c | 156 +++++++++++++++++++++++++++++++++++---------------
16 testdict.c | 1 + 21 testdict.c | 1 +
17 testlimits.c | 1 + 22 testlimits.c | 1 +
18 testrecurse.c | 2 + 23 testrecurse.c | 2 +
19 9 files changed, 210 insertions(+), 85 deletions(-) 24 9 files changed, 210 insertions(+), 85 deletions(-)
20 25
21diff --git a/Makefile.am b/Makefile.am 26diff --git a/Makefile.am b/Makefile.am
22index 9c630be..7cfd04b 100644 27index 05d1671f..ae622745 100644
23--- a/Makefile.am 28--- a/Makefile.am
24+++ b/Makefile.am 29+++ b/Makefile.am
25@@ -202,6 +202,15 @@ runxmlconf_LDADD= $(LDADDS) 30@@ -198,6 +198,15 @@ runxmlconf_LDADD= $(LDADDS)
26 #testOOM_DEPENDENCIES = $(DEPS) 31 #testOOM_DEPENDENCIES = $(DEPS)
27 #testOOM_LDADD= $(LDADDS) 32 #testOOM_LDADD= $(LDADDS)
28 33
@@ -39,10 +44,10 @@ index 9c630be..7cfd04b 100644
39 testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT) 44 testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT)
40 [ -d test ] || $(LN_S) $(srcdir)/test . 45 [ -d test ] || $(LN_S) $(srcdir)/test .
41diff --git a/runsuite.c b/runsuite.c 46diff --git a/runsuite.c b/runsuite.c
42index aaab13e..9ba2c5d 100644 47index d24b5ec3..f7ff2521 100644
43--- a/runsuite.c 48--- a/runsuite.c
44+++ b/runsuite.c 49+++ b/runsuite.c
45@@ -1162,6 +1162,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 50@@ -1147,6 +1147,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
46 51
47 if (logfile != NULL) 52 if (logfile != NULL)
48 fclose(logfile); 53 fclose(logfile);
@@ -51,10 +56,10 @@ index aaab13e..9ba2c5d 100644
51 } 56 }
52 #else /* !SCHEMAS */ 57 #else /* !SCHEMAS */
53diff --git a/runtest.c b/runtest.c 58diff --git a/runtest.c b/runtest.c
54index addda5c..8ba5d59 100644 59index ffa98d04..470f95cb 100644
55--- a/runtest.c 60--- a/runtest.c
56+++ b/runtest.c 61+++ b/runtest.c
57@@ -4501,6 +4501,7 @@ launchTests(testDescPtr tst) { 62@@ -4508,6 +4508,7 @@ launchTests(testDescPtr tst) {
58 xmlCharEncCloseFunc(ebcdicHandler); 63 xmlCharEncCloseFunc(ebcdicHandler);
59 xmlCharEncCloseFunc(eucJpHandler); 64 xmlCharEncCloseFunc(eucJpHandler);
60 65
@@ -62,7 +67,7 @@ index addda5c..8ba5d59 100644
62 return(err); 67 return(err);
63 } 68 }
64 69
65@@ -4577,6 +4578,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 70@@ -4588,6 +4589,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
66 xmlCleanupParser(); 71 xmlCleanupParser();
67 xmlMemoryDump(); 72 xmlMemoryDump();
68 73
@@ -71,7 +76,7 @@ index addda5c..8ba5d59 100644
71 } 76 }
72 77
73diff --git a/runxmlconf.c b/runxmlconf.c 78diff --git a/runxmlconf.c b/runxmlconf.c
74index cef20f4..4f291fb 100644 79index 70f61017..e882b3a1 100644
75--- a/runxmlconf.c 80--- a/runxmlconf.c
76+++ b/runxmlconf.c 81+++ b/runxmlconf.c
77@@ -595,6 +595,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 82@@ -595,6 +595,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
@@ -83,7 +88,7 @@ index cef20f4..4f291fb 100644
83 } 88 }
84 89
85diff --git a/testapi.c b/testapi.c 90diff --git a/testapi.c b/testapi.c
86index 4a751e2..7ccc066 100644 91index ff8b470d..52b51d78 100644
87--- a/testapi.c 92--- a/testapi.c
88+++ b/testapi.c 93+++ b/testapi.c
89@@ -1246,49 +1246,91 @@ static int 94@@ -1246,49 +1246,91 @@ static int
@@ -219,7 +224,7 @@ index 4a751e2..7ccc066 100644
219 } 224 }
220 225
221diff --git a/testchar.c b/testchar.c 226diff --git a/testchar.c b/testchar.c
222index 0d08792..f555d3b 100644 227index 6866a175..7bce0132 100644
223--- a/testchar.c 228--- a/testchar.c
224+++ b/testchar.c 229+++ b/testchar.c
225@@ -23,7 +23,7 @@ static void errorHandler(void *unused, xmlErrorPtr err) { 230@@ -23,7 +23,7 @@ static void errorHandler(void *unused, xmlErrorPtr err) {
@@ -797,7 +802,7 @@ index 0d08792..f555d3b 100644
797 /* 802 /*
798 * Cleanup function for the XML library. 803 * Cleanup function for the XML library.
799diff --git a/testdict.c b/testdict.c 804diff --git a/testdict.c b/testdict.c
800index 40bebd0..114b934 100644 805index 40bebd05..114b9347 100644
801--- a/testdict.c 806--- a/testdict.c
802+++ b/testdict.c 807+++ b/testdict.c
803@@ -440,5 +440,6 @@ int main(void) 808@@ -440,5 +440,6 @@ int main(void)
@@ -808,7 +813,7 @@ index 40bebd0..114b934 100644
808 return(ret); 813 return(ret);
809 } 814 }
810diff --git a/testlimits.c b/testlimits.c 815diff --git a/testlimits.c b/testlimits.c
811index 68c94db..1584434 100644 816index 059116a6..f0bee68d 100644
812--- a/testlimits.c 817--- a/testlimits.c
813+++ b/testlimits.c 818+++ b/testlimits.c
814@@ -1634,5 +1634,6 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 819@@ -1634,5 +1634,6 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
@@ -819,7 +824,7 @@ index 68c94db..1584434 100644
819 return(ret); 824 return(ret);
820 } 825 }
821diff --git a/testrecurse.c b/testrecurse.c 826diff --git a/testrecurse.c b/testrecurse.c
822index f95ae1c..74c8f8b 100644 827index 0cbe25a6..3ecadb40 100644
823--- a/testrecurse.c 828--- a/testrecurse.c
824+++ b/testrecurse.c 829+++ b/testrecurse.c
825@@ -892,6 +892,7 @@ launchTests(testDescPtr tst) { 830@@ -892,6 +892,7 @@ launchTests(testDescPtr tst) {
@@ -838,5 +843,5 @@ index f95ae1c..74c8f8b 100644
838 return(ret); 843 return(ret);
839 } 844 }
840-- 845--
8412.7.4 8462.25.1
842 847
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 4ebfb9e556..72f830b6d3 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -1,6 +1,6 @@
1SUMMARY = "XML C Parser Library and Toolkit" 1SUMMARY = "XML C Parser Library and Toolkit"
2DESCRIPTION = "The XML Parser Library allows for manipulation of XML files. Libxml2 exports Push and Pull type parser interfaces for both XML and HTML. It can do DTD validation at parse time, on a parsed document instance or with an arbitrary DTD. Libxml2 includes complete XPath, XPointer and Xinclude implementations. It also has a SAX like interface, which is designed to be compatible with Expat." 2DESCRIPTION = "The XML Parser Library allows for manipulation of XML files. Libxml2 exports Push and Pull type parser interfaces for both XML and HTML. It can do DTD validation at parse time, on a parsed document instance or with an arbitrary DTD. Libxml2 includes complete XPath, XPointer and Xinclude implementations. It also has a SAX like interface, which is designed to be compatible with Expat."
3HOMEPAGE = "http://www.xmlsoft.org/" 3HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2"
4BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2" 4BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2"
5SECTION = "libs" 5SECTION = "libs"
6LICENSE = "MIT" 6LICENSE = "MIT"
@@ -11,8 +11,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \
11 11
12DEPENDS = "zlib virtual/libiconv" 12DEPENDS = "zlib virtual/libiconv"
13 13
14SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ 14inherit gnomebase
15 http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \ 15
16SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \
16 file://libxml-64bit.patch \ 17 file://libxml-64bit.patch \
17 file://runtest.patch \ 18 file://runtest.patch \
18 file://run-ptest \ 19 file://run-ptest \
@@ -23,10 +24,31 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
23 file://CVE-2020-7595.patch \ 24 file://CVE-2020-7595.patch \
24 file://CVE-2019-20388.patch \ 25 file://CVE-2019-20388.patch \
25 file://CVE-2020-24977.patch \ 26 file://CVE-2020-24977.patch \
27 file://CVE-2021-3517.patch \
28 file://CVE-2021-3537.patch \
29 file://CVE-2021-3518.patch \
30 file://CVE-2021-3541.patch \
31 file://CVE-2022-23308.patch \
32 file://CVE-2022-23308-fix-regression.patch \
33 file://CVE-2022-29824-dependent.patch \
34 file://CVE-2022-29824.patch \
35 file://0001-Port-gentest.py-to-Python-3.patch \
36 file://CVE-2016-3709.patch \
37 file://CVE-2022-40303.patch \
38 file://CVE-2022-40304.patch \
39 file://CVE-2023-28484.patch \
40 file://CVE-2023-29469.patch \
41 file://CVE-2023-39615-pre.patch \
42 file://CVE-2023-39615-0001.patch \
43 file://CVE-2023-39615-0002.patch \
44 file://CVE-2021-3516.patch \
45 file://CVE-2023-45322-1.patch \
46 file://CVE-2023-45322-2.patch \
47 file://CVE-2024-25062-pre1.patch \
48 file://CVE-2024-25062.patch \
26 " 49 "
27 50
28SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" 51SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
29SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
30SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a" 52SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
31SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7" 53SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
32 54
@@ -40,9 +62,9 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
40 62
41inherit autotools pkgconfig binconfig-disabled ptest features_check 63inherit autotools pkgconfig binconfig-disabled ptest features_check
42 64
43inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)} 65inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3targetconfig', '', d)}
44 66
45RDEPENDS_${PN}-ptest += "make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}" 67RDEPENDS_${PN}-ptest += "bash make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}"
46 68
47RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}" 69RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}"
48 70
@@ -81,6 +103,16 @@ do_configure_prepend () {
81} 103}
82 104
83do_compile_ptest() { 105do_compile_ptest() {
106 # Make sure that testapi.c is newer than gentests.py, because
107 # with reproducible builds, they will both get e.g. Jan 1 1970
108 # modification time from SOURCE_DATE_EPOCH and then check-am
109 # might try to rebuild_testapi, which will fail even with
110 # 0001-Port-gentest.py-to-Python-3.patch, because it needs
111 # libxml2 module (libxml2-native dependency and correctly
112 # set PYTHON_SITE_PACKAGES), it's easier to
113 # just rely on pre-generated testapi.c from the release
114 touch ${S}/testapi.c
115
84 oe_runmake check-am 116 oe_runmake check-am
85} 117}
86 118
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-26 18:36:38 +0000