1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..defbe7867b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,49 @@
+From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+Fixes #243.
+CVE: CVE-2021-3537
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/parser.c b/parser.c
+index a34bb6cd..bbcff39f 100644
+--- a/parser.c
+++ b/parser.c
+@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+        SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
+        if (cur == NULL)
+            return(NULL);
+        SKIP_BLANKS;
+        GROW;
+     } else {
+@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+            SKIP_BLANKS;
+            last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
+            if (last == NULL) {
+               if (ret != NULL)
+                   xmlFreeDocElementContent(ctxt->myDoc, ret);
+               return(NULL);
+            }
+            SKIP_BLANKS;
+        } else {
+            elem = xmlParseName(ctxt);
+-- 
+2.25.1

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 0000000000..defbe7867b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,49 @@
	1	From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Sat, 1 May 2021 16:53:33 +0200
	4	Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv
	5
	6	Check return value of recursive calls to
	7	xmlParseElementChildrenContentDeclPriv and return immediately in case
	8	of errors. Otherwise, struct xmlElementContent could contain unexpected
	9	null pointers, leading to a null deref when post-validating documents
	10	which aren't well-formed and parsed in recovery mode.
	11
	12	Fixes #243.
	13
	14	CVE: CVE-2021-3537
	15	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
	16
	17	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
	18	---
	19	parser.c \| 7 +++++++
	20	1 file changed, 7 insertions(+)
	21
	22	diff --git a/parser.c b/parser.c
	23	index a34bb6cd..bbcff39f 100644
	24	--- a/parser.c
	25	+++ b/parser.c
	26	@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
	27	SKIP_BLANKS;
	28	cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
	29	depth + 1);
	30	+ if (cur == NULL)
	31	+ return(NULL);
	32	SKIP_BLANKS;
	33	GROW;
	34	} else {
	35	@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
	36	SKIP_BLANKS;
	37	last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
	38	depth + 1);
	39	+ if (last == NULL) {
	40	+ if (ret != NULL)
	41	+ xmlFreeDocElementContent(ctxt->myDoc, ret);
	42	+ return(NULL);
	43	+ }
	44	SKIP_BLANKS;
	45	} else {
	46	elem = xmlParseName(ctxt);
	47	--
	48	2.25.1
	49