libxml2: Security fix for CVE-2016-4448

Affects libxml2 < 2.9.4

(From OE-Core rev: d4343f428c89c6c238cc7cd4c4732448a00003e4)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

3 files changed, 1277 insertions, 0 deletions

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch
new file mode 100644
index 0000000000..1d08e57308
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch
@@ -0,0 +1,1067 @@
+From 4472c3a5a5b516aaf59b89be602fbce52756c3e9 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@webkit.org>
+Date: Fri, 13 May 2016 15:13:17 +0800
+Subject: [PATCH] Fix some format string warnings with possible format string
+ vulnerability
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+Decorate every method in libxml2 with the appropriate
+LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
+following the reports.
+
+Upstream-Status: Backport
+CVE: CVE-2016-4448 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c                     |  4 +--
+ SAX2.c                           | 12 ++++----
+ catalog.c                        |  2 +-
+ configure.ac                     |  4 +--
+ debugXML.c                       |  4 +--
+ encoding.c                       |  2 +-
+ entities.c                       |  2 +-
+ error.c                          |  2 +-
+ include/libxml/parserInternals.h |  2 +-
+ include/libxml/xmlerror.h        |  2 +-
+ include/libxml/xmlstring.h       |  8 ++---
+ libxml.h                         |  2 +-
+ parser.c                         | 37 +++++++++++-----------
+ parserInternals.c                |  4 +--
+ relaxng.c                        |  4 +--
+ schematron.c                     |  2 +-
+ testModule.c                     |  2 +-
+ valid.c                          |  8 ++---
+ xinclude.c                       |  4 +--
+ xmlIO.c                          | 14 ++++-----
+ xmllint.c                        | 20 ++++++------
+ xmlreader.c                      | 16 +++++++---
+ xmlschemas.c                     | 66 ++++++++++++++++++++--------------------
+ xmlstring.c                      |  4 +--
+ xmlwriter.c                      |  4 +--
+ xpath.c                          |  2 +-
+ xpointer.c                       |  2 +-
+ 27 files changed, 121 insertions(+), 114 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -105,7 +105,7 @@ htmlErrMemory(xmlParserCtxtPtr ctxt, con
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+              const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -132,7 +132,7 @@ htmlParseErr(xmlParserCtxtPtr ctxt, xmlP
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+              const char *msg, int val)
+ {
+Index: libxml2-2.9.2/SAX2.c
+===================================================================
+--- libxml2-2.9.2.orig/SAX2.c
++++ libxml2-2.9.2/SAX2.c
+@@ -55,7 +55,7 @@
+  * @ctxt:  an XML validation parser context
+  * @msg:   a string to accompany the error message
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) {
+     xmlStructuredErrorFunc schannel = NULL;
+     const char *str1 = "out of memory\n";
+@@ -93,7 +93,7 @@ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt,
+  *
+  * Handle a validation error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+             const char *msg, const char *str1, const char *str2)
+ {
+@@ -133,7 +133,7 @@ xmlErrValid(xmlParserCtxtPtr ctxt, xmlPa
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -164,7 +164,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xm
+  *
+  * Handle a parser warning
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                const char *msg, const xmlChar *str1)
+ {
+@@ -189,7 +189,7 @@ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlPar
+  *
+  * Handle a namespace error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+             const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -213,7 +213,7 @@ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlPa
+  *
+  * Handle a namespace warning
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+              const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+Index: libxml2-2.9.2/catalog.c
+===================================================================
+--- libxml2-2.9.2.orig/catalog.c
++++ libxml2-2.9.2/catalog.c
+@@ -238,7 +238,7 @@ xmlCatalogErrMemory(const char *extra)
+  *
+  * Handle a catalog error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error,
+                const char *msg, const xmlChar *str1, const xmlChar *str2,
+               const xmlChar *str3)
+Index: libxml2-2.9.2/configure.ac
+===================================================================
+--- libxml2-2.9.2.orig/configure.ac
++++ libxml2-2.9.2/configure.ac
+@@ -770,7 +770,7 @@ else
+     fi
+ 
+     # warnings we'd like to see
+-    CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls"
++    CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls"
+     # warnings we'd like to supress
+     CFLAGS="${CFLAGS} -Wno-long-long"
+     case "${host}" in
+@@ -990,7 +990,7 @@ if [[ "${LOGNAME}" = "veillard" -a "`pwd
+        fi
+     fi
+     if test "${GCC}" = "yes" ; then
+-    CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall"
++    CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall"
+     fi
+     STATIC_BINARIES="-static"
+ dnl -Wcast-qual -ansi
+Index: libxml2-2.9.2/debugXML.c
+===================================================================
+--- libxml2-2.9.2.orig/debugXML.c
++++ libxml2-2.9.2/debugXML.c
+@@ -164,7 +164,7 @@ xmlDebugErr(xmlDebugCtxtPtr ctxt, int er
+                    NULL, NULL, NULL, 0, 0,
+                    "%s", msg);
+ }
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra)
+ {
+     ctxt->errors++;
+@@ -174,7 +174,7 @@ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int e
+                    NULL, NULL, NULL, 0, 0,
+                    msg, extra);
+ }
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra)
+ {
+     ctxt->errors++;
+Index: libxml2-2.9.2/encoding.c
+===================================================================
+--- libxml2-2.9.2.orig/encoding.c
++++ libxml2-2.9.2/encoding.c
+@@ -93,7 +93,7 @@ xmlEncodingErrMemory(const char *extra)
+  *
+  * n encoding error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val)
+ {
+     __xmlRaiseError(NULL, NULL, NULL, NULL, NULL,
+Index: libxml2-2.9.2/entities.c
+===================================================================
+--- libxml2-2.9.2.orig/entities.c
++++ libxml2-2.9.2/entities.c
+@@ -83,7 +83,7 @@ xmlEntitiesErrMemory(const char *extra)
+  *
+  * Handle an out of memory condition
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlEntitiesErr(xmlParserErrors code, const char *msg)
+ {
+     __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL);
+Index: libxml2-2.9.2/error.c
+===================================================================
+--- libxml2-2.9.2.orig/error.c
++++ libxml2-2.9.2/error.c
+@@ -18,7 +18,7 @@
+ 
+ void XMLCDECL xmlGenericErrorDefaultFunc       (void *ctx ATTRIBUTE_UNUSED,
+                                 const char *msg,
+-                                ...);
++                                ...) LIBXML_ATTR_FORMAT(2,3);
+ 
+ #define XML_GET_VAR_STR(msg, str) {                            \
+     int       size, prev_size = -1;                            \
+Index: libxml2-2.9.2/include/libxml/parserInternals.h
+===================================================================
+--- libxml2-2.9.2.orig/include/libxml/parserInternals.h
++++ libxml2-2.9.2/include/libxml/parserInternals.h
+@@ -351,7 +351,7 @@ XMLPUBFUN void XMLCALL
+                                                 xmlParserErrors xmlerr,
+                                                 const char *msg,
+                                                 const xmlChar * str1,
+-                                                const xmlChar * str2);
++                                                const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0);
+ #endif
+ 
+ /**
+Index: libxml2-2.9.2/include/libxml/xmlerror.h
+===================================================================
+--- libxml2-2.9.2.orig/include/libxml/xmlerror.h
++++ libxml2-2.9.2/include/libxml/xmlerror.h
+@@ -937,7 +937,7 @@ XMLPUBFUN void XMLCALL
+                                 int code,
+                                 xmlNodePtr node,
+                                 const char *msg,
+-                                const char *extra);
++                                const char *extra) LIBXML_ATTR_FORMAT(4,0);
+ #endif
+ #ifdef __cplusplus
+ }
+Index: libxml2-2.9.2/include/libxml/xmlstring.h
+===================================================================
+--- libxml2-2.9.2.orig/include/libxml/xmlstring.h
++++ libxml2-2.9.2/include/libxml/xmlstring.h
+@@ -97,13 +97,13 @@ XMLPUBFUN xmlChar * XMLCALL
+ XMLPUBFUN int XMLCALL
+                 xmlStrPrintf             (xmlChar *buf,
+                                          int len,
+-                                         const xmlChar *msg,
+-                                         ...);
++                                         const char *msg,
++                                         ...) LIBXML_ATTR_FORMAT(3,4);
+ XMLPUBFUN int XMLCALL
+                 xmlStrVPrintf                (xmlChar *buf,
+                                          int len,
+-                                         const xmlChar *msg,
+-                                         va_list ap);
++                                         const char *msg,
++                                         va_list ap) LIBXML_ATTR_FORMAT(3,0);
+ 
+ XMLPUBFUN int XMLCALL
+         xmlGetUTF8Char                   (const unsigned char *utf,
+Index: libxml2-2.9.2/libxml.h
+===================================================================
+--- libxml2-2.9.2.orig/libxml.h
++++ libxml2-2.9.2/libxml.h
+@@ -71,7 +71,7 @@ extern int __xmlRegisterCallbacks;
+  * internal error reporting routines, shared but not partof the API.
+  */
+ void __xmlIOErr(int domain, int code, const char *extra);
+-void __xmlLoaderErr(void *ctx, const char *msg, const char *filename);
++void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0);
+ #ifdef LIBXML_HTML_ENABLED
+ /*
+  * internal function of HTML parser needed for xmlParseInNodeContext
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -350,7 +350,6 @@ static void
+ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+ {
+     const char *errmsg;
+-    char errstr[129] = "";
+ 
+     if ((ctxt != NULL) && (ctxt->disableSAX != 0) &&
+         (ctxt->instate == XML_PARSER_EOF))
+@@ -537,15 +536,17 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlPa
+         default:
+             errmsg = "Unregistered error message";
+     }
+-    if (info == NULL)
+-        snprintf(errstr, 128, "%s\n", errmsg);
+-    else
+-        snprintf(errstr, 128, "%s: %%s\n", errmsg);
+     if (ctxt != NULL)
+        ctxt->errNo = error;
+-    __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,
+-                    XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0],
+-                    info);
++    if (info == NULL) {
++        __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,
++                        XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n",
++                        errmsg);
++    } else {
++        __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,
++                        XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n",
++                        errmsg, info);
++    }
+     if (ctxt != NULL) {
+        ctxt->wellFormed = 0;
+        if (ctxt->recovery == 0)
+@@ -561,7 +562,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlPa
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                const char *msg)
+ {
+@@ -589,7 +590,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xm
+  *
+  * Handle a warning.
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+               const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -627,7 +628,7 @@ xmlWarningMsg(xmlParserCtxtPtr ctxt, xml
+  *
+  * Handle a validity error.
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+               const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -667,7 +668,7 @@ xmlValidityError(xmlParserCtxtPtr ctxt,
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                   const char *msg, int val)
+ {
+@@ -697,7 +698,7 @@ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt,
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                   const char *msg, const xmlChar *str1, int val,
+                  const xmlChar *str2)
+@@ -727,7 +728,7 @@ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                   const char *msg, const xmlChar * val)
+ {
+@@ -756,7 +757,7 @@ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt,
+  *
+  * Handle a non fatal parser error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                   const char *msg, const xmlChar * val)
+ {
+@@ -781,7 +782,7 @@ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlP
+  *
+  * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+          const char *msg,
+          const xmlChar * info1, const xmlChar * info2,
+@@ -810,7 +811,7 @@ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParse
+  *
+  * Handle a namespace warning error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+          const char *msg,
+          const xmlChar * info1, const xmlChar * info2,
+@@ -5538,7 +5539,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
+            skipped = SKIP_BLANKS;
+            if (skipped == 0) {
+                xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+-                              "Space required after '%'\n");
++                              "Space required after '%%'\n");
+            }
+            isParameter = 1;
+        }
+Index: libxml2-2.9.2/parserInternals.c
+===================================================================
+--- libxml2-2.9.2.orig/parserInternals.c
++++ libxml2-2.9.2/parserInternals.c
+@@ -169,7 +169,7 @@ __xmlErrEncoding(xmlParserCtxtPtr ctxt,
+  *
+  * Handle an internal error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str)
+ {
+     if ((ctxt != NULL) && (ctxt->disableSAX != 0) &&
+@@ -197,7 +197,7 @@ xmlErrInternal(xmlParserCtxtPtr ctxt, co
+  *
+  * n encoding error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+                   const char *msg, int val)
+ {
+Index: libxml2-2.9.2/relaxng.c
+===================================================================
+--- libxml2-2.9.2.orig/relaxng.c
++++ libxml2-2.9.2/relaxng.c
+@@ -507,7 +507,7 @@ xmlRngVErrMemory(xmlRelaxNGValidCtxtPtr
+  *
+  * Handle a Relax NG Parsing error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error,
+            const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+@@ -541,7 +541,7 @@ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt,
+  *
+  * Handle a Relax NG Validation error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error,
+            const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+Index: libxml2-2.9.2/schematron.c
+===================================================================
+--- libxml2-2.9.2.orig/schematron.c
++++ libxml2-2.9.2/schematron.c
+@@ -245,7 +245,7 @@ xmlSchematronPErrMemory(xmlSchematronPar
+  *
+  * Handle a parser error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error,
+               const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+Index: libxml2-2.9.2/testModule.c
+===================================================================
+--- libxml2-2.9.2.orig/testModule.c
++++ libxml2-2.9.2/testModule.c
+@@ -47,7 +47,7 @@ int main(int argc ATTRIBUTE_UNUSED, char
+ 
+     /* build the module filename, and confirm the module exists */
+     xmlStrPrintf(filename, sizeof(filename),
+-                 (const xmlChar*) "%s/testdso%s",
++                 "%s/testdso%s",
+                  (const xmlChar*)MODULE_PATH,
+                 (const xmlChar*)LIBXML_MODULE_EXTENSION);
+ 
+Index: libxml2-2.9.2/valid.c
+===================================================================
+--- libxml2-2.9.2.orig/valid.c
++++ libxml2-2.9.2/valid.c
+@@ -93,7 +93,7 @@ xmlVErrMemory(xmlValidCtxtPtr ctxt, cons
+  *
+  * Handle a validation error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error,
+             const char *msg, const char *extra)
+ {
+@@ -137,7 +137,7 @@ xmlErrValid(xmlValidCtxtPtr ctxt, xmlPar
+  *
+  * Handle a validation error, provide contextual informations
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlErrValidNode(xmlValidCtxtPtr ctxt,
+                 xmlNodePtr node, xmlParserErrors error,
+                 const char *msg, const xmlChar * str1,
+@@ -180,7 +180,7 @@ xmlErrValidNode(xmlValidCtxtPtr ctxt,
+  *
+  * Handle a validation error, provide contextual informations
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt,
+                 xmlNodePtr node, xmlParserErrors error,
+                 const char *msg, const xmlChar * str1,
+@@ -221,7 +221,7 @@ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt,
+  *
+  * Handle a validation error, provide contextual information
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlErrValidWarning(xmlValidCtxtPtr ctxt,
+                 xmlNodePtr node, xmlParserErrors error,
+                 const char *msg, const xmlChar * str1,
+Index: libxml2-2.9.2/xinclude.c
+===================================================================
+--- libxml2-2.9.2.orig/xinclude.c
++++ libxml2-2.9.2/xinclude.c
+@@ -125,7 +125,7 @@ xmlXIncludeErrMemory(xmlXIncludeCtxtPtr
+  *
+  * Handle an XInclude error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error,
+                const char *msg, const xmlChar *extra)
+ {
+@@ -147,7 +147,7 @@ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt,
+  *
+  * Emit an XInclude warning.
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error,
+                const char *msg, const xmlChar *extra)
+ {
+Index: libxml2-2.9.2/xmlIO.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlIO.c
++++ libxml2-2.9.2/xmlIO.c
+@@ -1604,7 +1604,7 @@ xmlCreateZMemBuff( int compression ) {
+        xmlFreeZMemBuff( buff );
+        buff = NULL;
+        xmlStrPrintf(msg, 500,
+-                   (const xmlChar *) "xmlCreateZMemBuff:  %s %d\n",
++                   "xmlCreateZMemBuff:  %s %d\n",
+                    "Error initializing compression context.  ZLIB error:",
+                    z_err );
+        xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -1672,7 +1672,7 @@ xmlZMemBuffExtend( xmlZMemBuffPtr buff,
+     else {
+        xmlChar msg[500];
+        xmlStrPrintf(msg, 500,
+-                   (const xmlChar *) "xmlZMemBuffExtend:  %s %lu bytes.\n",
++                   "xmlZMemBuffExtend:  %s %lu bytes.\n",
+                    "Allocation failure extending output buffer to",
+                    new_size );
+        xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -1718,7 +1718,7 @@ xmlZMemBuffAppend( xmlZMemBuffPtr buff,
+        if ( z_err != Z_OK ) {
+            xmlChar msg[500];
+            xmlStrPrintf(msg, 500,
+-                       (const xmlChar *) "xmlZMemBuffAppend:  %s %d %s - %d",
++                       "xmlZMemBuffAppend:  %s %d %s - %d",
+                        "Compression error while appending",
+                        len, "bytes to buffer.  ZLIB error", z_err );
+            xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -1791,7 +1791,7 @@ xmlZMemBuffGetContent( xmlZMemBuffPtr bu
+     else {
+        xmlChar msg[500];
+        xmlStrPrintf(msg, 500,
+-                   (const xmlChar *) "xmlZMemBuffGetContent:  %s - %d\n",
++                   "xmlZMemBuffGetContent:  %s - %d\n",
+                    "Error flushing zlib buffers.  Error code", z_err );
+        xmlIOErr(XML_IO_WRITE, (const char *) msg);
+     }
+@@ -1996,7 +1996,7 @@ xmlIOHTTPWrite( void * context, const ch
+        if ( len < 0 ) {
+            xmlChar msg[500];
+            xmlStrPrintf(msg, 500,
+-                       (const xmlChar *) "xmlIOHTTPWrite:  %s\n%s '%s'.\n",
++                       "xmlIOHTTPWrite:  %s\n%s '%s'.\n",
+                        "Error appending to internal buffer.",
+                        "Error sending document to URI",
+                        ctxt->uri );
+@@ -2068,7 +2068,7 @@ xmlIOHTTPCloseWrite( void * context, con
+     if ( http_content == NULL ) {
+        xmlChar msg[500];
+        xmlStrPrintf(msg, 500,
+-                    (const xmlChar *) "xmlIOHTTPCloseWrite:  %s '%s' %s '%s'.\n",
++                    "xmlIOHTTPCloseWrite:  %s '%s' %s '%s'.\n",
+                     "Error retrieving content.\nUnable to",
+                     http_mthd, "data to URI", ctxt->uri );
+        xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -2140,7 +2140,7 @@ xmlIOHTTPCloseWrite( void * context, con
+            else {
+                 xmlChar msg[500];
+                 xmlStrPrintf(msg, 500,
+-    (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n",
++                      "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n",
+                            http_mthd, content_lgth,
+                            "bytes to URI", ctxt->uri,
+                            "failed.  HTTP return code:", http_rtn );
+Index: libxml2-2.9.2/xmllint.c
+===================================================================
+--- libxml2-2.9.2.orig/xmllint.c
++++ libxml2-2.9.2/xmllint.c
+@@ -449,7 +449,7 @@ startTimer(void)
+  *           message about the timing performed; format is a printf
+  *           type argument
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2)
+ endTimer(const char *fmt, ...)
+ {
+     long msec;
+@@ -485,7 +485,7 @@ startTimer(void)
+ {
+     begin = clock();
+ }
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2)
+ endTimer(const char *fmt, ...)
+ {
+     long msec;
+@@ -514,7 +514,7 @@ startTimer(void)
+      * Do nothing
+      */
+ }
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2)
+ endTimer(char *format, ...)
+ {
+     /*
+@@ -634,7 +634,7 @@ xmlHTMLPrintFileContext(xmlParserInputPt
+  * Display and format an error messages, gives file, line, position and
+  * extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLError(void *ctx, const char *msg, ...)
+ {
+     xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -671,7 +671,7 @@ xmlHTMLError(void *ctx, const char *msg,
+  * Display and format a warning messages, gives file, line, position and
+  * extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLWarning(void *ctx, const char *msg, ...)
+ {
+     xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -709,7 +709,7 @@ xmlHTMLWarning(void *ctx, const char *ms
+  * Display and format an validity error messages, gives file,
+  * line, position and extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLValidityError(void *ctx, const char *msg, ...)
+ {
+     xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -746,7 +746,7 @@ xmlHTMLValidityError(void *ctx, const ch
+  * Display and format a validity warning messages, gives file, line,
+  * position and extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
+ {
+     xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -1410,7 +1410,7 @@ commentDebug(void *ctx ATTRIBUTE_UNUSED,
+  * Display and format a warning messages, gives file, line, position and
+  * extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ {
+     va_list args;
+@@ -1433,7 +1433,7 @@ warningDebug(void *ctx ATTRIBUTE_UNUSED,
+  * Display and format a error messages, gives file, line, position and
+  * extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ {
+     va_list args;
+@@ -1456,7 +1456,7 @@ errorDebug(void *ctx ATTRIBUTE_UNUSED, c
+  * Display and format a fatalError messages, gives file, line, position and
+  * extra parameters.
+  */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ {
+     va_list args;
+Index: libxml2-2.9.2/xmlreader.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlreader.c
++++ libxml2-2.9.2/xmlreader.c
+@@ -4050,13 +4050,19 @@ xmlTextReaderCurrentDoc(xmlTextReaderPtr
+ }
+ 
+ #ifdef LIBXML_SCHEMAS_ENABLED
+-static char *xmlTextReaderBuildMessage(const char *msg, va_list ap);
++static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0);
+ 
+ static void XMLCDECL
+-xmlTextReaderValidityError(void *ctxt, const char *msg, ...);
++xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
+ 
+ static void XMLCDECL
+-xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...);
++xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
++
++static void XMLCDECL
++xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
++
++static void XMLCDECL
++xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
+ 
+ static void XMLCDECL
+ xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...)
+@@ -4850,7 +4856,7 @@ xmlTextReaderStructuredError(void *ctxt,
+     }
+ }
+ 
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlTextReaderError(void *ctxt, const char *msg, ...)
+ {
+     va_list ap;
+@@ -4863,7 +4869,7 @@ xmlTextReaderError(void *ctxt, const cha
+ 
+ }
+ 
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlTextReaderWarning(void *ctxt, const char *msg, ...)
+ {
+     va_list ap;
+Index: libxml2-2.9.2/xmlschemas.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlschemas.c
++++ libxml2-2.9.2/xmlschemas.c
+@@ -1085,7 +1085,7 @@ xmlSchemaGetUnionSimpleTypeMemberTypes(x
+ static void
+ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt,
+                     const char *funcName,
+-                    const char *message);
++                    const char *message) LIBXML_ATTR_FORMAT(3,0);
+ static int
+ xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt,
+                             xmlSchemaTypePtr type,
+@@ -1889,7 +1889,7 @@ xmlSchemaPErrMemory(xmlSchemaParserCtxtP
+  *
+  * Handle a parser error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error,
+               const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+@@ -1922,7 +1922,7 @@ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctx
+  *
+  * Handle a parser error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node,
+                xmlNodePtr child, int error,
+                const char *msg, const xmlChar * str1, const xmlChar * str2)
+@@ -1951,7 +1951,7 @@ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ct
+  *
+  * Handle a parser error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(7,0)
+ xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error,
+                const xmlChar * strData1, const xmlChar * strData2,
+                const xmlChar * strData3, const char *msg, const xmlChar * str1,
+@@ -2002,7 +2002,7 @@ xmlSchemaVErrMemory(xmlSchemaValidCtxtPt
+                      extra);
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlSchemaPSimpleInternalErr(xmlNodePtr node,
+                            const char *msg, const xmlChar *str)
+ {
+@@ -2013,18 +2013,21 @@ xmlSchemaPSimpleInternalErr(xmlNodePtr n
+ #define WXS_ERROR_TYPE_ERROR 1
+ #define WXS_ERROR_TYPE_WARNING 2
+ /**
+- * xmlSchemaErr3:
++ * xmlSchemaErr4Line:
+  * @ctxt: the validation context
+- * @node: the context node
++ * @errorLevel: the error level
+  * @error: the error code
++ * @node: the context node
++ * @line: the line number
+  * @msg: the error message
+  * @str1: extra data
+  * @str2: extra data
+  * @str3: extra data
++ * @str4: extra data
+  *
+  * Handle a validation error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(6,0)
+ xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt,
+                  xmlErrorLevel errorLevel,
+                  int error, xmlNodePtr node, int line, const char *msg,
+@@ -2139,7 +2142,7 @@ xmlSchemaErr4Line(xmlSchemaAbstractCtxtP
+  *
+  * Handle a validation error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt,
+              int error, xmlNodePtr node, const char *msg,
+              const xmlChar *str1, const xmlChar *str2, const xmlChar *str3)
+@@ -2148,7 +2151,7 @@ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr a
+        msg, str1, str2, str3, NULL);
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt,
+              int error, xmlNodePtr node, const char *msg,
+              const xmlChar *str1, const xmlChar *str2,
+@@ -2158,7 +2161,7 @@ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr a
+        msg, str1, str2, str3, str4);
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt,
+             int error, xmlNodePtr node, const char *msg,
+             const xmlChar *str1, const xmlChar *str2)
+@@ -2181,7 +2184,7 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+        /*
+        * Don't try to format other nodes than element and
+        * attribute nodes.
+-       * Play save and return an empty string.
++       * Play safe and return an empty string.
+        */
+        *msg = xmlStrdup(BAD_CAST "");
+        return(*msg);
+@@ -2262,7 +2265,7 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+     return (*msg);
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt,
+                     const char *funcName,
+                     const char *message,
+@@ -2273,24 +2276,21 @@ xmlSchemaInternalErr2(xmlSchemaAbstractC
+ 
+     if (actxt == NULL)
+         return;
+-    msg = xmlStrdup(BAD_CAST "Internal error: ");
+-    msg = xmlStrcat(msg, BAD_CAST funcName);
+-    msg = xmlStrcat(msg, BAD_CAST ", ");
++    msg = xmlStrdup(BAD_CAST "Internal error: %s, ");
+     msg = xmlStrcat(msg, BAD_CAST message);
+     msg = xmlStrcat(msg, BAD_CAST ".\n");
+ 
+     if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR)
+-       xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL,
+-           (const char *) msg, str1, str2);
+-
++       xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL,
++           (const char *) msg, (const xmlChar *) funcName, str1, str2);
+     else if (actxt->type == XML_SCHEMA_CTXT_PARSER)
+-       xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL,
+-           (const char *) msg, str1, str2);
++       xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL,
++           (const char *) msg, (const xmlChar *) funcName, str1, str2);
+ 
+     FREE_AND_NULL(msg)
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt,
+                     const char *funcName,
+                     const char *message)
+@@ -2299,7 +2299,7 @@ xmlSchemaInternalErr(xmlSchemaAbstractCt
+ }
+ 
+ #if 0
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt,
+                     const char *funcName,
+                     const char *message,
+@@ -2311,7 +2311,7 @@ xmlSchemaPInternalErr(xmlSchemaParserCtx
+ }
+ #endif
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt,
+                   xmlParserErrors error,
+                   xmlNodePtr node,
+@@ -2336,7 +2336,7 @@ xmlSchemaCustomErr4(xmlSchemaAbstractCtx
+     FREE_AND_NULL(msg)
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt,
+                   xmlParserErrors error,
+                   xmlNodePtr node,
+@@ -2351,7 +2351,7 @@ xmlSchemaCustomErr(xmlSchemaAbstractCtxt
+ 
+ 
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt,
+                   xmlParserErrors error,
+                   xmlNodePtr node,
+@@ -2376,7 +2376,7 @@ xmlSchemaCustomWarning(xmlSchemaAbstract
+ 
+ 
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt,
+                   xmlParserErrors error,
+                   xmlSchemaPSVIIDCNodePtr idcNode,
+@@ -2525,7 +2525,7 @@ xmlSchemaIllegalAttrErr(xmlSchemaAbstrac
+     FREE_AND_NULL(msg)
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt,
+                        xmlParserErrors error,
+                        xmlNodePtr node,
+@@ -2625,7 +2625,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
+     xmlFree(msg);
+ }
+ 
+-static void
++static void LIBXML_ATTR_FORMAT(8,0)
+ xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt,
+                  xmlParserErrors error,
+                  xmlNodePtr node,
+@@ -2916,7 +2916,7 @@ xmlSchemaPIllegalAttrErr(xmlSchemaParser
+  *
+  * Reports an error during parsing.
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt,
+                    xmlParserErrors error,
+                    xmlSchemaBasicItemPtr item,
+@@ -2952,7 +2952,7 @@ xmlSchemaPCustomErrExt(xmlSchemaParserCt
+  *
+  * Reports an error during parsing.
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt,
+                    xmlParserErrors error,
+                    xmlSchemaBasicItemPtr item,
+@@ -2977,7 +2977,7 @@ xmlSchemaPCustomErr(xmlSchemaParserCtxtP
+  *
+  * Reports an attribute use error during parsing.
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(6,0)
+ xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt,
+                    xmlParserErrors error,
+                    xmlNodePtr node,
+@@ -3099,7 +3099,7 @@ xmlSchemaPMutualExclAttrErr(xmlSchemaPar
+  * Reports a simple type validation error.
+  * TODO: Should this report the value of an element as well?
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(8,0)
+ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,
+                        xmlParserErrors error,
+                        xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED,
+Index: libxml2-2.9.2/xmlstring.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlstring.c
++++ libxml2-2.9.2/xmlstring.c
+@@ -545,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *a
+  * Returns the number of characters written to @buf or -1 if an error occurs.
+  */
+ int XMLCDECL
+-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) {
++xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) {
+     va_list args;
+     int ret;
+ 
+@@ -573,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, cons
+  * Returns the number of characters written to @buf or -1 if an error occurs.
+  */
+ int
+-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) {
++xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) {
+     int ret;
+ 
+     if((buf == NULL) || (msg == NULL)) {
+Index: libxml2-2.9.2/xmlwriter.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlwriter.c
++++ libxml2-2.9.2/xmlwriter.c
+@@ -113,7 +113,7 @@ static int xmlTextWriterWriteDocCallback
+                                          const xmlChar * str, int len);
+ static int xmlTextWriterCloseDocCallback(void *context);
+ 
+-static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr);
++static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0);
+ static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len,
+                                       const unsigned char *data);
+ static void xmlTextWriterStartDocumentCallback(void *ctx);
+@@ -153,7 +153,7 @@ xmlWriterErrMsg(xmlTextWriterPtr ctxt, x
+  *
+  * Handle a writer error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error,
+                const char *msg, int val)
+ {
+Index: libxml2-2.9.2/xpath.c
+===================================================================
+--- libxml2-2.9.2.orig/xpath.c
++++ libxml2-2.9.2/xpath.c
+@@ -639,7 +639,7 @@ xmlXPathErrMemory(xmlXPathContextPtr ctx
+             xmlChar buf[200];
+ 
+             xmlStrPrintf(buf, 200,
+-                         BAD_CAST "Memory allocation failed : %s\n",
++                         "Memory allocation failed : %s\n",
+                          extra);
+             ctxt->lastError.message = (char *) xmlStrdup(buf);
+         } else {
+Index: libxml2-2.9.2/xpointer.c
+===================================================================
+--- libxml2-2.9.2.orig/xpointer.c
++++ libxml2-2.9.2/xpointer.c
+@@ -85,7 +85,7 @@ xmlXPtrErrMemory(const char *extra)
+  *
+  * Handle a redefinition of attribute error
+  */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error,
+            const char * msg, const xmlChar *extra)
+ {
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
new file mode 100644
index 0000000000..bfea8fde55
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
@@ -0,0 +1,208 @@
+From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Mon, 23 May 2016 14:58:41 +0800
+Subject: [PATCH] More format string warnings with possible format string
+ vulnerability
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+adds a new xmlEscapeFormatString() function to escape composed format
+strings
+
+Upstream-Status: Backport
+CVE: CVE-2016-4448 patch #2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxml.h     |  3 +++
+ relaxng.c    |  3 ++-
+ xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
+ xmlstring.c  | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 86 insertions(+), 14 deletions(-)
+
+Index: libxml2-2.9.2/libxml.h
+===================================================================
+--- libxml2-2.9.2.orig/libxml.h
++++ libxml2-2.9.2/libxml.h
+@@ -9,6 +9,8 @@
+ #ifndef __XML_LIBXML_H__
+ #define __XML_LIBXML_H__
+ 
++#include <libxml/xmlstring.h>
++
+ #ifndef NO_LARGEFILE_SOURCE
+ #ifndef _LARGEFILE_SOURCE
+ #define _LARGEFILE_SOURCE
+@@ -96,6 +98,7 @@ int __xmlInitializeDict(void);
+ int __xmlRandom(void);
+ #endif
+ 
++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
+ int xmlNop(void);
+ 
+ #ifdef IN_LIBXML
+Index: libxml2-2.9.2/relaxng.c
+===================================================================
+--- libxml2-2.9.2.orig/relaxng.c
++++ libxml2-2.9.2/relaxng.c
+@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid
+         snprintf(msg, 1000, "Unknown error code %d\n", err);
+     }
+     msg[1000 - 1] = 0;
+-    return (xmlStrdup((xmlChar *) msg));
++    xmlChar *result = xmlCharStrdup(msg);
++    return (xmlEscapeFormatString(&result));
+ }
+ 
+ /**
+Index: libxml2-2.9.2/xmlschemas.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlschemas.c
++++ libxml2-2.9.2/xmlschemas.c
+@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b
+     }
+     FREE_AND_NULL(str)
+ 
+-    return (*buf);
++    return (xmlEscapeFormatString(buf));
+ }
+ 
+ /**
+@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+        TODO
+        return (NULL);
+     }
++
++    /*
++     * xmlSchemaFormatItemForReport() also returns an escaped format
++     * string, so do this before calling it below (in the future).
++     */
++    xmlEscapeFormatString(msg);
++
+     /*
+     * VAL TODO: The output of the given schema component is currently
+     * disabled.
+@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract
+        msg = xmlStrcat(msg, BAD_CAST " '");
+        if (type->builtInType != 0) {
+            msg = xmlStrcat(msg, BAD_CAST "xs:");
+-           msg = xmlStrcat(msg, type->name);
+-       } else
+-           msg = xmlStrcat(msg,
+-               xmlSchemaFormatQName(&str,
+-                   type->targetNamespace, type->name));
++           str = xmlStrdup(type->name);
++       } else {
++           const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++           if (!str)
++               str = xmlStrdup(qName);
++       }
++       msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+        msg = xmlStrcat(msg, BAD_CAST "'");
+        FREE_AND_NULL(str);
+     }
+@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
+                str = xmlStrcat(str, BAD_CAST ", ");
+        }
+        str = xmlStrcat(str, BAD_CAST " ).\n");
+-       msg = xmlStrcat(msg, BAD_CAST str);
++       msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+        FREE_AND_NULL(str)
+     } else
+       msg = xmlStrcat(msg, BAD_CAST "\n");
+@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+                msg = xmlStrcat(msg, BAD_CAST " '");
+                if (type->builtInType != 0) {
+                    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-                   msg = xmlStrcat(msg, type->name);
+-               } else
+-                   msg = xmlStrcat(msg,
+-                       xmlSchemaFormatQName(&str,
+-                           type->targetNamespace, type->name));
++                   str = xmlStrdup(type->name);
++               } else {
++                   const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++                   if (!str)
++                       str = xmlStrdup(qName);
++               }
++               msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+                msg = xmlStrcat(msg, BAD_CAST "'.");
+                FREE_AND_NULL(str);
+            }
+@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+        }
+        if (expected) {
+            msg = xmlStrcat(msg, BAD_CAST " Expected is '");
+-           msg = xmlStrcat(msg, BAD_CAST expected);
++           xmlChar *expectedEscaped = xmlCharStrdup(expected);
++           msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
++           FREE_AND_NULL(expectedEscaped);
+            msg = xmlStrcat(msg, BAD_CAST "'.\n");
+        } else
+            msg = xmlStrcat(msg, BAD_CAST "\n");
+Index: libxml2-2.9.2/xmlstring.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlstring.c
++++ libxml2-2.9.2/xmlstring.c
+@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st
+     return(xmlUTF8Strndup(utf, len));
+ }
+ 
++/**
++ * xmlEscapeFormatString:
++ * @msg:  a pointer to the string in which to escape '%' characters.
++ * Must be a heap-allocated buffer created by libxml2 that may be
++ * returned, or that may be freed and replaced.
++ *
++ * Replaces the string pointed to by 'msg' with an escaped string.
++ * Returns the same string with all '%' characters escaped.
++ */
++xmlChar *
++xmlEscapeFormatString(xmlChar **msg)
++{
++    xmlChar *msgPtr = NULL;
++    xmlChar *result = NULL;
++    xmlChar *resultPtr = NULL;
++    size_t count = 0;
++    size_t msgLen = 0;
++    size_t resultLen = 0;
++
++    if (!msg || !*msg)
++        return(NULL);
++
++    for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
++        ++msgLen;
++        if (*msgPtr == '%')
++            ++count;
++    }
++
++    if (count == 0)
++        return(*msg);
++
++    resultLen = msgLen + count + 1;
++    result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
++    if (result == NULL) {
++        /* Clear *msg to prevent format string vulnerabilities in
++           out-of-memory situations. */
++        xmlFree(*msg);
++        *msg = NULL;
++        xmlErrMemory(NULL, NULL);
++        return(NULL);
++    }
++
++    for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
++        *resultPtr = *msgPtr;
++        if (*msgPtr == '%')
++            *(++resultPtr) = '%';
++    }
++    result[resultLen - 1] = '\0';
++
++    xmlFree(*msg);
++    *msg = result;
++
++    return *msg;
++}
++
+ #define bottom_xmlstring
+ #include "elfgcchack.h"
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index c7db1de14e..e221a4f702 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -18,6 +18,8 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1833.patch \
             file://CVE-2016-3627.patch \
             file://CVE-2016-4447.patch \
+            file://CVE-2016-4448_1.patch \
+            file://CVE-2016-4448_2.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"