diff options
Diffstat (limited to 'meta/recipes-support/libxslt/files/CVE-2019-13118.patch')
-rw-r--r-- | meta/recipes-support/libxslt/files/CVE-2019-13118.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch new file mode 100644 index 0000000000..595e6c2f33 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Mon, 3 Jun 2019 13:14:45 +0200 | ||
4 | Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars | ||
5 | |||
6 | The character type in xsltFormatNumberConversion was too narrow and | ||
7 | an invalid character/length combination could be passed to | ||
8 | xsltNumberFormatDecimal, resulting in an uninitialized read. | ||
9 | |||
10 | Found by OSS-Fuzz. | ||
11 | |||
12 | CVE: CVE-2019-13118 | ||
13 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b] | ||
14 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
15 | |||
16 | --- | ||
17 | libxslt/numbers.c | 5 +++-- | ||
18 | tests/docs/bug-222.xml | 1 + | ||
19 | tests/general/bug-222.out | 2 ++ | ||
20 | tests/general/bug-222.xsl | 6 ++++++ | ||
21 | 4 files changed, 12 insertions(+), 2 deletions(-) | ||
22 | create mode 100644 tests/docs/bug-222.xml | ||
23 | create mode 100644 tests/general/bug-222.out | ||
24 | create mode 100644 tests/general/bug-222.xsl | ||
25 | |||
26 | diff --git a/libxslt/numbers.c b/libxslt/numbers.c | ||
27 | index f1ed8846..20b99d5a 100644 | ||
28 | --- a/libxslt/numbers.c | ||
29 | +++ b/libxslt/numbers.c | ||
30 | @@ -1298,13 +1298,14 @@ OUTPUT_NUMBER: | ||
31 | number = floor((scale * number + 0.5)) / scale; | ||
32 | if ((self->grouping != NULL) && | ||
33 | (self->grouping[0] != 0)) { | ||
34 | + int gchar; | ||
35 | |||
36 | len = xmlStrlen(self->grouping); | ||
37 | - pchar = xsltGetUTF8Char(self->grouping, &len); | ||
38 | + gchar = xsltGetUTF8Char(self->grouping, &len); | ||
39 | xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], | ||
40 | format_info.integer_digits, | ||
41 | format_info.group, | ||
42 | - pchar, len); | ||
43 | + gchar, len); | ||
44 | } else | ||
45 | xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0], | ||
46 | format_info.integer_digits, | ||
47 | diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml | ||
48 | new file mode 100644 | ||
49 | index 00000000..69d62f2c | ||
50 | --- /dev/null | ||
51 | +++ b/tests/docs/bug-222.xml | ||
52 | @@ -0,0 +1 @@ | ||
53 | +<doc/> | ||
54 | diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out | ||
55 | new file mode 100644 | ||
56 | index 00000000..e3139698 | ||
57 | --- /dev/null | ||
58 | +++ b/tests/general/bug-222.out | ||
59 | @@ -0,0 +1,2 @@ | ||
60 | +<?xml version="1.0"?> | ||
61 | +1⠢0 | ||
62 | diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl | ||
63 | new file mode 100644 | ||
64 | index 00000000..e32dc473 | ||
65 | --- /dev/null | ||
66 | +++ b/tests/general/bug-222.xsl | ||
67 | @@ -0,0 +1,6 @@ | ||
68 | +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> | ||
69 | + <xsl:decimal-format name="f" grouping-separator="⠢"/> | ||
70 | + <xsl:template match="/"> | ||
71 | + <xsl:value-of select="format-number(10,'#⠢0','f')"/> | ||
72 | + </xsl:template> | ||
73 | +</xsl:stylesheet> | ||
74 | -- | ||
75 | 2.21.0 | ||
76 | |||