1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
new file mode 100644
index 0000000000..2eaae1386d
--- /dev/null
+++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
@@ -0,0 +1,50 @@
+From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
+From: Hanno Boeck <hanno@hboeck.de>
+Date: Wed, 27 Jan 2016 15:10:11 +0100
+Subject: [PATCH] Fix heap buffer overflow in fgetwln()
+In the function fgetwln() there's a 4 byte heap overflow.
+There is a while loop that has this check to see whether there's still
+enough space in the buffer:
+                if (!fb->len || wused > fb->len) {
+If this is true more memory gets allocated. However this test won't be
+true if wused == fb->len, but at that point wused already points out
+of the buffer. Some lines later there's a write to the buffer:
+                fb->wbuf[wused++] = wc;
+This bug was found with the help of address sanitizer.
+Warned-by: ASAN
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
+Signed-off-by: Guillem Jover <guillem@hadrons.org>
+Upstream-Status: Backport
+http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
+CVE: CVE-2016-2090
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/fgetwln.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/fgetwln.c b/src/fgetwln.c
+index 9ee0776..aa3f927 100644
+--- a/src/fgetwln.c
+++ b/src/fgetwln.c
+@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
+        fb->fp = stream;
+ 
+        while ((wc = fgetwc(stream)) != WEOF) {
+-               if (!fb->len || wused > fb->len) {
+               if (!fb->len || wused >= fb->len) {
+                        wchar_t *wp;
+ 
+                        if (fb->len)
+-- 
+2.3.5

diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch new file mode 100644 index 0000000000..2eaae1386d --- /dev/null +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
@@ -0,0 +1,50 @@
	1	From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
	2	From: Hanno Boeck <hanno@hboeck.de>
	3	Date: Wed, 27 Jan 2016 15:10:11 +0100
	4	Subject: [PATCH] Fix heap buffer overflow in fgetwln()
	5
	6	In the function fgetwln() there's a 4 byte heap overflow.
	7
	8	There is a while loop that has this check to see whether there's still
	9	enough space in the buffer:
	10
	11	if (!fb->len \|\| wused > fb->len) {
	12
	13	If this is true more memory gets allocated. However this test won't be
	14	true if wused == fb->len, but at that point wused already points out
	15	of the buffer. Some lines later there's a write to the buffer:
	16
	17	fb->wbuf[wused++] = wc;
	18
	19	This bug was found with the help of address sanitizer.
	20
	21	Warned-by: ASAN
	22	Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
	23	Signed-off-by: Guillem Jover <guillem@hadrons.org>
	24
	25	Upstream-Status: Backport
	26	http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
	27
	28	CVE: CVE-2016-2090
	29	Signed-off-by: Armin Kuster <akuster@mvista.com>
	30
	31	---
	32	src/fgetwln.c \| 2 +-
	33	1 file changed, 1 insertion(+), 1 deletion(-)
	34
	35	diff --git a/src/fgetwln.c b/src/fgetwln.c
	36	index 9ee0776..aa3f927 100644
	37	--- a/src/fgetwln.c
	38	+++ b/src/fgetwln.c
	39	@@ -60,7 +60,7 @@ fgetwln(FILE stream, size_t lenp)
	40	fb->fp = stream;
	41
	42	while ((wc = fgetwc(stream)) != WEOF) {
	43	- if (!fb->len \|\| wused > fb->len) {
	44	+ if (!fb->len \|\| wused >= fb->len) {
	45	wchar_t *wp;
	46
	47	if (fb->len)
	48	--
	49	2.3.5
	50