2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
new file mode 100644
index 0000000000..57aaacc587
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
@@ -0,0 +1,80 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+Originally reported to Chromium:
+https://crbug.com/676623
+CVE: CVE-2017-5029
+Upstream-Status: Backport
+Signed-off-by: Fan Xin <fan.xin@jp.fujitus.com>
+---
+ libxslt/transform.c     | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133f..02bff34 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+         return(target);
+ 
+     if (ctxt->lasttext == target->content) {
+        int minSize;
+ 
+-       if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+        /* Check for integer overflow accounting for NUL terminator. */
+        if (len >= INT_MAX - ctxt->lasttuse) {
+            xsltTransformError(ctxt, NULL, target,
+                "xsltCopyText: text allocation failed\n");
+            return(NULL);
+        }
+        minSize = ctxt->lasttuse + len + 1;
+
+        if (ctxt->lasttsize < minSize) {
+            xmlChar *newbuf;
+            int size;
+            int extra;
+
+            /* Double buffer size but increase by at least 100 bytes. */
+            extra = minSize < 100 ? 100 : minSize;
+
+            /* Check for integer overflow. */
+            if (extra > INT_MAX - ctxt->lasttsize) {
+                size = INT_MAX;
+            }
+            else {
+                size = ctxt->lasttsize + extra;
+            }
+ 
+-           size = ctxt->lasttsize + len + 100;
+-           size *= 2;
+            newbuf = (xmlChar *) xmlRealloc(target->content,size);
+            if (newbuf == NULL) {
+                xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b178..5ad1771 100644
+--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+      * Speed optimization when coalescing text nodes
+      */
+     const xmlChar  *lasttext;          /* last text node content */
+-    unsigned int    lasttsize;         /* last text node size */
+-    unsigned int    lasttuse;          /* last text node use */
+    int             lasttsize;         /* last text node size */
+    int             lasttuse;          /* last text node use */
+     /*
+      * Per Context Debugging
+      */
+-- 
+1.9.1
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.29.bb b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
index 2946a745e9..d27c706602 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.29.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
@@ -12,6 +12,7 @@ SRC_URI = "ftp://xmlsoft.org/libxslt/libxslt-${PV}.tar.gz \
           file://pkgconfig_fix.patch \
           file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \
           file://0001-Link-libraries-with-libm.patch \
+           file://0001-Check-for-integer-overflow-in-xsltAddTextString.patch \
           "
 SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e"

diff --git a/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch new file mode 100644 index 0000000000..57aaacc587 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
@@ -0,0 +1,80 @@
		1	From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Thu, 12 Jan 2017 15:39:52 +0100
		4	Subject: [PATCH] Check for integer overflow in xsltAddTextString
		5
		6	Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
		7	exploited to trigger an out of bounds write on 64-bit systems.
		8
		9	Originally reported to Chromium:
		10
		11	https://crbug.com/676623
		12
		13	CVE: CVE-2017-5029
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Fan Xin <fan.xin@jp.fujitus.com>
		17
		18	---
		19	libxslt/transform.c \| 25 ++++++++++++++++++++++---
		20	libxslt/xsltInternals.h \| 4 ++--
		21	2 files changed, 24 insertions(+), 5 deletions(-)
		22
		23	diff --git a/libxslt/transform.c b/libxslt/transform.c
		24	index 519133f..02bff34 100644
		25	--- a/libxslt/transform.c
		26	+++ b/libxslt/transform.c
		27	@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
		28	return(target);
		29
		30	if (ctxt->lasttext == target->content) {
		31	+ int minSize;
		32
		33	- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
		34	+ /* Check for integer overflow accounting for NUL terminator. */
		35	+ if (len >= INT_MAX - ctxt->lasttuse) {
		36	+ xsltTransformError(ctxt, NULL, target,
		37	+ "xsltCopyText: text allocation failed\n");
		38	+ return(NULL);
		39	+ }
		40	+ minSize = ctxt->lasttuse + len + 1;
		41	+
		42	+ if (ctxt->lasttsize < minSize) {
		43	xmlChar *newbuf;
		44	int size;
		45	+ int extra;
		46	+
		47	+ /* Double buffer size but increase by at least 100 bytes. */
		48	+ extra = minSize < 100 ? 100 : minSize;
		49	+
		50	+ /* Check for integer overflow. */
		51	+ if (extra > INT_MAX - ctxt->lasttsize) {
		52	+ size = INT_MAX;
		53	+ }
		54	+ else {
		55	+ size = ctxt->lasttsize + extra;
		56	+ }
		57
		58	- size = ctxt->lasttsize + len + 100;
		59	- size *= 2;
		60	newbuf = (xmlChar *) xmlRealloc(target->content,size);
		61	if (newbuf == NULL) {
		62	xsltTransformError(ctxt, NULL, target,
		63	diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
		64	index 060b178..5ad1771 100644
		65	--- a/libxslt/xsltInternals.h
		66	+++ b/libxslt/xsltInternals.h
		67	@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
		68	* Speed optimization when coalescing text nodes
		69	*/
		70	const xmlChar lasttext; / last text node content */
		71	- unsigned int lasttsize; /* last text node size */
		72	- unsigned int lasttuse; /* last text node use */
		73	+ int lasttsize; /* last text node size */
		74	+ int lasttuse; /* last text node use */
		75	/*
		76	* Per Context Debugging
		77	*/
		78	--
		79	1.9.1
		80


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.29.bb b/meta/recipes-support/libxslt/libxslt_1.1.29.bb index 2946a745e9..d27c706602 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.29.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
@@ -12,6 +12,7 @@ SRC_URI = "ftp://xmlsoft.org/libxslt/libxslt-${PV}.tar.gz \
12	file://pkgconfig_fix.patch \	12	file://pkgconfig_fix.patch \
13	file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \	13	file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \
14	file://0001-Link-libraries-with-libm.patch \	14	file://0001-Link-libraries-with-libm.patch \
		15	file://0001-Check-for-integer-overflow-in-xsltAddTextString.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e"	18	SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e"