summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch624
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch106
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.14.bb2
3 files changed, 732 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
new file mode 100644
index 0000000000..346ec37a9f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,624 @@
1From 15050f59d2a62b97b34e9cab8b8076a68ef003bd Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 25 Aug 2022 17:43:08 +0200
4Subject: [PATCH] CVE-2022-40303
5
6Fix integer overflows with XML_PARSE_HUGE
7
8Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
9to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
10XML_MAX_HUGE_LENGTH (1 billion bytes).
11
12Move some the length checks to the end of the respective loop to make
13them strict.
14
15xmlParseEntityValue didn't have a length limitation at all. But without
16XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
17
18Thanks to Maddie Stone working with Google Project Zero for the report!
19
20Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
21CVE: CVE-2022-40303
22Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
23---
24 parser.c | 233 +++++++++++++++++++++++++++++--------------------------
25 1 file changed, 121 insertions(+), 112 deletions(-)
26
27diff --git a/parser.c b/parser.c
28index 1bc3713..0f76577 100644
29--- a/parser.c
30+++ b/parser.c
31@@ -115,6 +115,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
32 * *
33 ************************************************************************/
34
35+#define XML_MAX_HUGE_LENGTH 1000000000
36+
37 #define XML_PARSER_BIG_ENTITY 1000
38 #define XML_PARSER_LOT_ENTITY 5000
39
40@@ -565,7 +567,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
41 errmsg = "Malformed declaration expecting version";
42 break;
43 case XML_ERR_NAME_TOO_LONG:
44- errmsg = "Name too long use XML_PARSE_HUGE option";
45+ errmsg = "Name too long";
46 break;
47 #if 0
48 case:
49@@ -3210,6 +3212,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
50 int len = 0, l;
51 int c;
52 int count = 0;
53+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
54+ XML_MAX_TEXT_LENGTH :
55+ XML_MAX_NAME_LENGTH;
56
57 #ifdef DEBUG
58 nbParseNameComplex++;
59@@ -3275,7 +3280,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
60 if (ctxt->instate == XML_PARSER_EOF)
61 return(NULL);
62 }
63- len += l;
64+ if (len <= INT_MAX - l)
65+ len += l;
66 NEXTL(l);
67 c = CUR_CHAR(l);
68 }
69@@ -3301,13 +3307,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
70 if (ctxt->instate == XML_PARSER_EOF)
71 return(NULL);
72 }
73- len += l;
74+ if (len <= INT_MAX - l)
75+ len += l;
76 NEXTL(l);
77 c = CUR_CHAR(l);
78 }
79 }
80- if ((len > XML_MAX_NAME_LENGTH) &&
81- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
82+ if (len > maxLength) {
83 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
84 return(NULL);
85 }
86@@ -3346,7 +3352,10 @@ const xmlChar *
87 xmlParseName(xmlParserCtxtPtr ctxt) {
88 const xmlChar *in;
89 const xmlChar *ret;
90- int count = 0;
91+ size_t count = 0;
92+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
93+ XML_MAX_TEXT_LENGTH :
94+ XML_MAX_NAME_LENGTH;
95
96 GROW;
97
98@@ -3370,8 +3379,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
99 in++;
100 if ((*in > 0) && (*in < 0x80)) {
101 count = in - ctxt->input->cur;
102- if ((count > XML_MAX_NAME_LENGTH) &&
103- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
104+ if (count > maxLength) {
105 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
106 return(NULL);
107 }
108@@ -3392,6 +3400,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
109 int len = 0, l;
110 int c;
111 int count = 0;
112+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
113+ XML_MAX_TEXT_LENGTH :
114+ XML_MAX_NAME_LENGTH;
115 size_t startPosition = 0;
116
117 #ifdef DEBUG
118@@ -3412,17 +3423,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
119 while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
120 (xmlIsNameChar(ctxt, c) && (c != ':'))) {
121 if (count++ > XML_PARSER_CHUNK_SIZE) {
122- if ((len > XML_MAX_NAME_LENGTH) &&
123- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
124- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
125- return(NULL);
126- }
127 count = 0;
128 GROW;
129 if (ctxt->instate == XML_PARSER_EOF)
130 return(NULL);
131 }
132- len += l;
133+ if (len <= INT_MAX - l)
134+ len += l;
135 NEXTL(l);
136 c = CUR_CHAR(l);
137 if (c == 0) {
138@@ -3440,8 +3447,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
139 c = CUR_CHAR(l);
140 }
141 }
142- if ((len > XML_MAX_NAME_LENGTH) &&
143- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
144+ if (len > maxLength) {
145 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
146 return(NULL);
147 }
148@@ -3467,7 +3473,10 @@ static const xmlChar *
149 xmlParseNCName(xmlParserCtxtPtr ctxt) {
150 const xmlChar *in, *e;
151 const xmlChar *ret;
152- int count = 0;
153+ size_t count = 0;
154+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
155+ XML_MAX_TEXT_LENGTH :
156+ XML_MAX_NAME_LENGTH;
157
158 #ifdef DEBUG
159 nbParseNCName++;
160@@ -3492,8 +3501,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
161 goto complex;
162 if ((*in > 0) && (*in < 0x80)) {
163 count = in - ctxt->input->cur;
164- if ((count > XML_MAX_NAME_LENGTH) &&
165- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
166+ if (count > maxLength) {
167 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
168 return(NULL);
169 }
170@@ -3575,6 +3583,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
171 const xmlChar *cur = *str;
172 int len = 0, l;
173 int c;
174+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
175+ XML_MAX_TEXT_LENGTH :
176+ XML_MAX_NAME_LENGTH;
177
178 #ifdef DEBUG
179 nbParseStringName++;
180@@ -3610,12 +3621,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
181 if (len + 10 > max) {
182 xmlChar *tmp;
183
184- if ((len > XML_MAX_NAME_LENGTH) &&
185- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
186- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
187- xmlFree(buffer);
188- return(NULL);
189- }
190 max *= 2;
191 tmp = (xmlChar *) xmlRealloc(buffer,
192 max * sizeof(xmlChar));
193@@ -3629,14 +3634,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
194 COPY_BUF(l,buffer,len,c);
195 cur += l;
196 c = CUR_SCHAR(cur, l);
197+ if (len > maxLength) {
198+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
199+ xmlFree(buffer);
200+ return(NULL);
201+ }
202 }
203 buffer[len] = 0;
204 *str = cur;
205 return(buffer);
206 }
207 }
208- if ((len > XML_MAX_NAME_LENGTH) &&
209- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
210+ if (len > maxLength) {
211 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
212 return(NULL);
213 }
214@@ -3663,6 +3672,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
215 int len = 0, l;
216 int c;
217 int count = 0;
218+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
219+ XML_MAX_TEXT_LENGTH :
220+ XML_MAX_NAME_LENGTH;
221
222 #ifdef DEBUG
223 nbParseNmToken++;
224@@ -3714,12 +3726,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
225 if (len + 10 > max) {
226 xmlChar *tmp;
227
228- if ((max > XML_MAX_NAME_LENGTH) &&
229- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
230- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
231- xmlFree(buffer);
232- return(NULL);
233- }
234 max *= 2;
235 tmp = (xmlChar *) xmlRealloc(buffer,
236 max * sizeof(xmlChar));
237@@ -3733,6 +3739,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
238 COPY_BUF(l,buffer,len,c);
239 NEXTL(l);
240 c = CUR_CHAR(l);
241+ if (len > maxLength) {
242+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
243+ xmlFree(buffer);
244+ return(NULL);
245+ }
246 }
247 buffer[len] = 0;
248 return(buffer);
249@@ -3740,8 +3751,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
250 }
251 if (len == 0)
252 return(NULL);
253- if ((len > XML_MAX_NAME_LENGTH) &&
254- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
255+ if (len > maxLength) {
256 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
257 return(NULL);
258 }
259@@ -3767,6 +3777,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
260 int len = 0;
261 int size = XML_PARSER_BUFFER_SIZE;
262 int c, l;
263+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
264+ XML_MAX_HUGE_LENGTH :
265+ XML_MAX_TEXT_LENGTH;
266 xmlChar stop;
267 xmlChar *ret = NULL;
268 const xmlChar *cur = NULL;
269@@ -3826,6 +3839,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
270 GROW;
271 c = CUR_CHAR(l);
272 }
273+
274+ if (len > maxLength) {
275+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
276+ "entity value too long\n");
277+ goto error;
278+ }
279 }
280 buf[len] = 0;
281 if (ctxt->instate == XML_PARSER_EOF)
282@@ -3913,6 +3932,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
283 xmlChar *rep = NULL;
284 size_t len = 0;
285 size_t buf_size = 0;
286+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
287+ XML_MAX_HUGE_LENGTH :
288+ XML_MAX_TEXT_LENGTH;
289 int c, l, in_space = 0;
290 xmlChar *current = NULL;
291 xmlEntityPtr ent;
292@@ -3944,16 +3966,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
293 while (((NXT(0) != limit) && /* checked */
294 (IS_CHAR(c)) && (c != '<')) &&
295 (ctxt->instate != XML_PARSER_EOF)) {
296- /*
297- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
298- * special option is given
299- */
300- if ((len > XML_MAX_TEXT_LENGTH) &&
301- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
302- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
303- "AttValue length too long\n");
304- goto mem_error;
305- }
306 if (c == '&') {
307 in_space = 0;
308 if (NXT(1) == '#') {
309@@ -4101,6 +4113,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
310 }
311 GROW;
312 c = CUR_CHAR(l);
313+ if (len > maxLength) {
314+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
315+ "AttValue length too long\n");
316+ goto mem_error;
317+ }
318 }
319 if (ctxt->instate == XML_PARSER_EOF)
320 goto error;
321@@ -4122,16 +4139,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
322 } else
323 NEXT;
324
325- /*
326- * There we potentially risk an overflow, don't allow attribute value of
327- * length more than INT_MAX it is a very reasonable assumption !
328- */
329- if (len >= INT_MAX) {
330- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
331- "AttValue length too long\n");
332- goto mem_error;
333- }
334-
335 if (attlen != NULL) *attlen = (int) len;
336 return(buf);
337
338@@ -4202,6 +4209,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
339 int len = 0;
340 int size = XML_PARSER_BUFFER_SIZE;
341 int cur, l;
342+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
343+ XML_MAX_TEXT_LENGTH :
344+ XML_MAX_NAME_LENGTH;
345 xmlChar stop;
346 int state = ctxt->instate;
347 int count = 0;
348@@ -4229,13 +4239,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
349 if (len + 5 >= size) {
350 xmlChar *tmp;
351
352- if ((size > XML_MAX_NAME_LENGTH) &&
353- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
354- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
355- xmlFree(buf);
356- ctxt->instate = (xmlParserInputState) state;
357- return(NULL);
358- }
359 size *= 2;
360 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
361 if (tmp == NULL) {
362@@ -4264,6 +4267,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
363 SHRINK;
364 cur = CUR_CHAR(l);
365 }
366+ if (len > maxLength) {
367+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
368+ xmlFree(buf);
369+ ctxt->instate = (xmlParserInputState) state;
370+ return(NULL);
371+ }
372 }
373 buf[len] = 0;
374 ctxt->instate = (xmlParserInputState) state;
375@@ -4291,6 +4300,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
376 xmlChar *buf = NULL;
377 int len = 0;
378 int size = XML_PARSER_BUFFER_SIZE;
379+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
380+ XML_MAX_TEXT_LENGTH :
381+ XML_MAX_NAME_LENGTH;
382 xmlChar cur;
383 xmlChar stop;
384 int count = 0;
385@@ -4318,12 +4330,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
386 if (len + 1 >= size) {
387 xmlChar *tmp;
388
389- if ((size > XML_MAX_NAME_LENGTH) &&
390- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
391- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
392- xmlFree(buf);
393- return(NULL);
394- }
395 size *= 2;
396 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
397 if (tmp == NULL) {
398@@ -4351,6 +4357,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
399 SHRINK;
400 cur = CUR;
401 }
402+ if (len > maxLength) {
403+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
404+ xmlFree(buf);
405+ return(NULL);
406+ }
407 }
408 buf[len] = 0;
409 if (cur != stop) {
410@@ -4750,6 +4761,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
411 int r, rl;
412 int cur, l;
413 size_t count = 0;
414+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
415+ XML_MAX_HUGE_LENGTH :
416+ XML_MAX_TEXT_LENGTH;
417 int inputid;
418
419 inputid = ctxt->input->id;
420@@ -4795,13 +4809,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
421 if ((r == '-') && (q == '-')) {
422 xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
423 }
424- if ((len > XML_MAX_TEXT_LENGTH) &&
425- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
426- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
427- "Comment too big found", NULL);
428- xmlFree (buf);
429- return;
430- }
431 if (len + 5 >= size) {
432 xmlChar *new_buf;
433 size_t new_size;
434@@ -4839,6 +4846,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
435 GROW;
436 cur = CUR_CHAR(l);
437 }
438+
439+ if (len > maxLength) {
440+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
441+ "Comment too big found", NULL);
442+ xmlFree (buf);
443+ return;
444+ }
445 }
446 buf[len] = 0;
447 if (cur == 0) {
448@@ -4883,6 +4897,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
449 xmlChar *buf = NULL;
450 size_t size = XML_PARSER_BUFFER_SIZE;
451 size_t len = 0;
452+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
453+ XML_MAX_HUGE_LENGTH :
454+ XML_MAX_TEXT_LENGTH;
455 xmlParserInputState state;
456 const xmlChar *in;
457 size_t nbchar = 0;
458@@ -4966,8 +4983,7 @@ get_more:
459 buf[len] = 0;
460 }
461 }
462- if ((len > XML_MAX_TEXT_LENGTH) &&
463- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
464+ if (len > maxLength) {
465 xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
466 "Comment too big found", NULL);
467 xmlFree (buf);
468@@ -5167,6 +5183,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
469 xmlChar *buf = NULL;
470 size_t len = 0;
471 size_t size = XML_PARSER_BUFFER_SIZE;
472+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
473+ XML_MAX_HUGE_LENGTH :
474+ XML_MAX_TEXT_LENGTH;
475 int cur, l;
476 const xmlChar *target;
477 xmlParserInputState state;
478@@ -5242,14 +5261,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
479 return;
480 }
481 count = 0;
482- if ((len > XML_MAX_TEXT_LENGTH) &&
483- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
484- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
485- "PI %s too big found", target);
486- xmlFree(buf);
487- ctxt->instate = state;
488- return;
489- }
490 }
491 COPY_BUF(l,buf,len,cur);
492 NEXTL(l);
493@@ -5259,15 +5270,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
494 GROW;
495 cur = CUR_CHAR(l);
496 }
497+ if (len > maxLength) {
498+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
499+ "PI %s too big found", target);
500+ xmlFree(buf);
501+ ctxt->instate = state;
502+ return;
503+ }
504 }
505- if ((len > XML_MAX_TEXT_LENGTH) &&
506- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
507- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
508- "PI %s too big found", target);
509- xmlFree(buf);
510- ctxt->instate = state;
511- return;
512- }
513 buf[len] = 0;
514 if (cur != '?') {
515 xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
516@@ -8959,6 +8969,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
517 const xmlChar *in = NULL, *start, *end, *last;
518 xmlChar *ret = NULL;
519 int line, col;
520+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
521+ XML_MAX_HUGE_LENGTH :
522+ XML_MAX_TEXT_LENGTH;
523
524 GROW;
525 in = (xmlChar *) CUR_PTR;
526@@ -8998,8 +9011,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
527 start = in;
528 if (in >= end) {
529 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
530- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
531- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
532+ if ((in - start) > maxLength) {
533 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
534 "AttValue length too long\n");
535 return(NULL);
536@@ -9012,8 +9024,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
537 if ((*in++ == 0x20) && (*in == 0x20)) break;
538 if (in >= end) {
539 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
540- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
541- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
542+ if ((in - start) > maxLength) {
543 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
544 "AttValue length too long\n");
545 return(NULL);
546@@ -9046,16 +9057,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
547 last = last + delta;
548 }
549 end = ctxt->input->end;
550- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
551- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
552+ if ((in - start) > maxLength) {
553 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
554 "AttValue length too long\n");
555 return(NULL);
556 }
557 }
558 }
559- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
560- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
561+ if ((in - start) > maxLength) {
562 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
563 "AttValue length too long\n");
564 return(NULL);
565@@ -9068,8 +9077,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
566 col++;
567 if (in >= end) {
568 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
569- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
570- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
571+ if ((in - start) > maxLength) {
572 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
573 "AttValue length too long\n");
574 return(NULL);
575@@ -9077,8 +9085,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
576 }
577 }
578 last = in;
579- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
580- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
581+ if ((in - start) > maxLength) {
582 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
583 "AttValue length too long\n");
584 return(NULL);
585@@ -9768,6 +9775,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
586 int s, sl;
587 int cur, l;
588 int count = 0;
589+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
590+ XML_MAX_HUGE_LENGTH :
591+ XML_MAX_TEXT_LENGTH;
592
593 /* Check 2.6.0 was NXT(0) not RAW */
594 if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
595@@ -9801,13 +9811,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
596 if (len + 5 >= size) {
597 xmlChar *tmp;
598
599- if ((size > XML_MAX_TEXT_LENGTH) &&
600- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
601- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
602- "CData section too big found", NULL);
603- xmlFree (buf);
604- return;
605- }
606 tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
607 if (tmp == NULL) {
608 xmlFree(buf);
609@@ -9834,6 +9837,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
610 }
611 NEXTL(l);
612 cur = CUR_CHAR(l);
613+ if (len > maxLength) {
614+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
615+ "CData section too big found\n");
616+ xmlFree(buf);
617+ return;
618+ }
619 }
620 buf[len] = 0;
621 ctxt->instate = XML_PARSER_CONTENT;
622--
6232.25.1
624
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
new file mode 100644
index 0000000000..b24be03315
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
@@ -0,0 +1,106 @@
1From cde95d801abc9405ca821ad814c7730333328d96 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 31 Aug 2022 22:11:25 +0200
4Subject: [PATCH] CVE-2022-40304
5
6Fix dict corruption caused by entity reference cycles
7
8When an entity reference cycle is detected, the entity content is
9cleared by setting its first byte to zero. But the entity content might
10be allocated from a dict. In this case, the dict entry becomes corrupted
11leading to all kinds of logic errors, including memory errors like
12double-frees.
13
14Stop storing entity content, orig, ExternalID and SystemID in a dict.
15These values are unlikely to occur multiple times in a document, so they
16shouldn't have been stored in a dict in the first place.
17
18Thanks to Ned Williamson and Nathan Wachholz working with Google Project
19Zero for the report!
20
21Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b]
22CVE: CVE-2022-40304
23Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
24---
25 entities.c | 55 ++++++++++++++++--------------------------------------
26 1 file changed, 16 insertions(+), 39 deletions(-)
27
28diff --git a/entities.c b/entities.c
29index 1a8f86f..ec1b9a7 100644
30--- a/entities.c
31+++ b/entities.c
32@@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity)
33 if ((entity->children) && (entity->owner == 1) &&
34 (entity == (xmlEntityPtr) entity->children->parent))
35 xmlFreeNodeList(entity->children);
36- if (dict != NULL) {
37- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name)))
38- xmlFree((char *) entity->name);
39- if ((entity->ExternalID != NULL) &&
40- (!xmlDictOwns(dict, entity->ExternalID)))
41- xmlFree((char *) entity->ExternalID);
42- if ((entity->SystemID != NULL) &&
43- (!xmlDictOwns(dict, entity->SystemID)))
44- xmlFree((char *) entity->SystemID);
45- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI)))
46- xmlFree((char *) entity->URI);
47- if ((entity->content != NULL)
48- && (!xmlDictOwns(dict, entity->content)))
49- xmlFree((char *) entity->content);
50- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
51- xmlFree((char *) entity->orig);
52- } else {
53- if (entity->name != NULL)
54- xmlFree((char *) entity->name);
55- if (entity->ExternalID != NULL)
56- xmlFree((char *) entity->ExternalID);
57- if (entity->SystemID != NULL)
58- xmlFree((char *) entity->SystemID);
59- if (entity->URI != NULL)
60- xmlFree((char *) entity->URI);
61- if (entity->content != NULL)
62- xmlFree((char *) entity->content);
63- if (entity->orig != NULL)
64- xmlFree((char *) entity->orig);
65- }
66+ if ((entity->name != NULL) &&
67+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
68+ xmlFree((char *) entity->name);
69+ if (entity->ExternalID != NULL)
70+ xmlFree((char *) entity->ExternalID);
71+ if (entity->SystemID != NULL)
72+ xmlFree((char *) entity->SystemID);
73+ if (entity->URI != NULL)
74+ xmlFree((char *) entity->URI);
75+ if (entity->content != NULL)
76+ xmlFree((char *) entity->content);
77+ if (entity->orig != NULL)
78+ xmlFree((char *) entity->orig);
79 xmlFree(entity);
80 }
81
82@@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
83 ret->SystemID = xmlStrdup(SystemID);
84 } else {
85 ret->name = xmlDictLookup(dict, name, -1);
86- if (ExternalID != NULL)
87- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1);
88- if (SystemID != NULL)
89- ret->SystemID = xmlDictLookup(dict, SystemID, -1);
90+ ret->ExternalID = xmlStrdup(ExternalID);
91+ ret->SystemID = xmlStrdup(SystemID);
92 }
93 if (content != NULL) {
94 ret->length = xmlStrlen(content);
95- if ((dict != NULL) && (ret->length < 5))
96- ret->content = (xmlChar *)
97- xmlDictLookup(dict, content, ret->length);
98- else
99- ret->content = xmlStrndup(content, ret->length);
100+ ret->content = xmlStrndup(content, ret->length);
101 } else {
102 ret->length = 0;
103 ret->content = NULL;
104--
1052.25.1
106
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 519985bbae..fffe7dda98 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -23,6 +23,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
23 file://remove-fuzz-from-ptests.patch \ 23 file://remove-fuzz-from-ptests.patch \
24 file://libxml-m4-use-pkgconfig.patch \ 24 file://libxml-m4-use-pkgconfig.patch \
25 file://0001-Port-gentest.py-to-Python-3.patch \ 25 file://0001-Port-gentest.py-to-Python-3.patch \
26 file://CVE-2022-40303.patch \
27 file://CVE-2022-40304.patch \
26 " 28 "
27 29
28SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" 30SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-02 12:15:22 +0000