2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2021-45960.patch b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
new file mode 100644
index 0000000000..523449e22c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
@@ -0,0 +1,65 @@
+From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 27 Dec 2021 20:15:02 +0100
+Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
+ storeAtts (CVE-2021-45960)
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
+CVE: CVE-2021-45960
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d730f41c3..b47c31b05 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   if (nPrefixes) {
+     int j; /* hash table index */
+     unsigned long version = parser->m_nsAttsVersion;
+-    int nsAttsSize = (int)1 << parser->m_nsAttsPower;
+
+    /* Detect and prevent invalid shift */
+    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
+      return XML_ERROR_NO_MEMORY;
+    }
+
+    unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
+     unsigned char oldNsAttsPower = parser->m_nsAttsPower;
+     /* size of hash table must be at least 2 * (# of prefixed attributes) */
+     if ((nPrefixes << 1)
+@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+         ;
+       if (parser->m_nsAttsPower < 3)
+         parser->m_nsAttsPower = 3;
+-      nsAttsSize = (int)1 << parser->m_nsAttsPower;
+
+      /* Detect and prevent invalid shift */
+      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
+        /* Restore actual size of memory in m_nsAtts */
+        parser->m_nsAttsPower = oldNsAttsPower;
+        return XML_ERROR_NO_MEMORY;
+      }
+
+      nsAttsSize = 1u << parser->m_nsAttsPower;
+
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
+        /* Restore actual size of memory in m_nsAtts */
+        parser->m_nsAttsPower = oldNsAttsPower;
+        return XML_ERROR_NO_MEMORY;
+      }
+#endif
+
+       temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
+                                nsAttsSize * sizeof(NS_ATT));
+       if (! temp) {
diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.2.10.bb
index 5a123305c4..7a892b0304 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.2.10.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
           file://run-ptest \
           file://0001-Add-output-of-tests-result.patch \
           file://CVE-2022-22822-27.patch \
+           file://CVE-2021-45960.patch \
          "
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"

diff --git a/meta/recipes-core/expat/expat/CVE-2021-45960.patch b/meta/recipes-core/expat/expat/CVE-2021-45960.patch new file mode 100644 index 0000000000..523449e22c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
@@ -0,0 +1,65 @@
		1	From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
		2	From: Sebastian Pipping <sebastian@pipping.org>
		3	Date: Mon, 27 Dec 2021 20:15:02 +0100
		4	Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
		5	storeAtts (CVE-2021-45960)
		6
		7	Upstream-Status: Backport:
		8	https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
		9
		10	CVE: CVE-2021-45960
		11	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		12
		13	---
		14	expat/lib/xmlparse.c \| 31 +++++++++++++++++++++++++++++--
		15	1 file changed, 29 insertions(+), 2 deletions(-)
		16
		17	diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
		18	index d730f41c3..b47c31b05 100644
		19	--- a/lib/xmlparse.c
		20	+++ b/lib/xmlparse.c
		21	@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING enc, const char attStr,
		22	if (nPrefixes) {
		23	int j; /* hash table index */
		24	unsigned long version = parser->m_nsAttsVersion;
		25	- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
		26	+
		27	+ /* Detect and prevent invalid shift */
		28	+ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
		29	+ return XML_ERROR_NO_MEMORY;
		30	+ }
		31	+
		32	+ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
		33	unsigned char oldNsAttsPower = parser->m_nsAttsPower;
		34	/* size of hash table must be at least 2 * (# of prefixed attributes) */
		35	if ((nPrefixes << 1)
		36	@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING enc, const char attStr,
		37	;
		38	if (parser->m_nsAttsPower < 3)
		39	parser->m_nsAttsPower = 3;
		40	- nsAttsSize = (int)1 << parser->m_nsAttsPower;
		41	+
		42	+ /* Detect and prevent invalid shift */
		43	+ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
		44	+ /* Restore actual size of memory in m_nsAtts */
		45	+ parser->m_nsAttsPower = oldNsAttsPower;
		46	+ return XML_ERROR_NO_MEMORY;
		47	+ }
		48	+
		49	+ nsAttsSize = 1u << parser->m_nsAttsPower;
		50	+
		51	+ /* Detect and prevent integer overflow.
		52	+ * The preprocessor guard addresses the "always false" warning
		53	+ * from -Wtype-limits on platforms where
		54	+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
		55	+#if UINT_MAX >= SIZE_MAX
		56	+ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
		57	+ /* Restore actual size of memory in m_nsAtts */
		58	+ parser->m_nsAttsPower = oldNsAttsPower;
		59	+ return XML_ERROR_NO_MEMORY;
		60	+ }
		61	+#endif
		62	+
		63	temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
		64	nsAttsSize * sizeof(NS_ATT));
		65	if (! temp) {


diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.2.10.bb index 5a123305c4..7a892b0304 100644 --- a/meta/recipes-core/expat/expat_2.2.10.bb +++ b/meta/recipes-core/expat/expat_2.2.10.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
13	file://run-ptest \	13	file://run-ptest \
14	file://0001-Add-output-of-tests-result.patch \	14	file://0001-Add-output-of-tests-result.patch \
15	file://CVE-2022-22822-27.patch \	15	file://CVE-2022-22822-27.patch \
		16	file://CVE-2021-45960.patch \
16	"	17	"
17		18
18	UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"	19	UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"