libxml2: Security fix for CVE-2016-1837

Affects libxml2 < 2.9.4 Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Armin Kuster <akuster@mvista.com> 2016-07-09 15:01:15 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-07-27 08:29:38 +0100
commit: d0e3cc8c9234083a4ad6a0c1befe02b6076b084c (patch)
tree: 8db674ebc2114a98f91b84d848fce8e66b8b403b
parent: 6f6132dc3aeb0d660c9730f6f33e9194a6098226 (diff)
download: openembedded-core-contrib-d0e3cc8c9234083a4ad6a0c1befe02b6076b084c.tar.gz
2 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
new file mode 100644
index 0000000000..0ed527ad20
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
@@ -0,0 +1,143 @@
+From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Wed, 2 Mar 2016 15:52:24 -0800
+Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=760263
+
+* HTMLparser.c: Add BASE_PTR convenience macro.
+(htmlParseSystemLiteral): Store length and start position instead
+of a pointer while iterating through the public identifier since
+the underlying buffer may change, resulting in a stale pointer
+being used.
+(htmlParsePubidLiteral): Ditto.
+
+Upstream-status: Backport
+CVE: CVE-2016-1837.patch
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
+ #define UPP(val) (toupper(ctxt->input->cur[(val)]))
+ 
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+ 
+ #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
+ 		   (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
+@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
+ 
+ static xmlChar *
+ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
++    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+ 
+     if (CUR == '"') {
+         NEXT;
+-	q = CUR_PTR;
+-	while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++	while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
+ 	    NEXT;
++	    len++;
++	}
+ 	if (!IS_CHAR_CH(CUR)) {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 			 "Unfinished SystemLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR+startPosition), len);
+ 	    NEXT;
+         }
+     } else if (CUR == '\'') {
+         NEXT;
+-	q = CUR_PTR;
+-	while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++	while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
+ 	    NEXT;
++	    len++;
++	}
+ 	if (!IS_CHAR_CH(CUR)) {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 			 "Unfinished SystemLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR+startPosition), len);
+ 	    NEXT;
+         }
+     } else {
+@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
+ 
+ static xmlChar *
+ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
++    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+     /*
+      * Name ::= (Letter | '_') (NameChar)*
+      */
+     if (CUR == '"') {
+         NEXT;
+-	q = CUR_PTR;
+-	while (IS_PUBIDCHAR_CH(CUR)) NEXT;
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++        while (IS_PUBIDCHAR_CH(CUR)) {
++            len++;
++            NEXT;
++        }
++
+ 	if (CUR != '"') {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 	                 "Unfinished PubidLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR + startPosition), len);
+ 	    NEXT;
+ 	}
+     } else if (CUR == '\'') {
+         NEXT;
+-	q = CUR_PTR;
+-	while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
+-	    NEXT;
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++        while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
++            len++;
++            NEXT;
++        }
++
+ 	if (CUR != '\'') {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 	                 "Unfinished PubidLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR + startPosition), len);
+ 	    NEXT;
+ 	}
+     } else {
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 10e4b563f3..eeed6ac170 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1839.patch \
             file://CVE-2016-1836.patch \
             file://CVE-2016-4449.patch \
+            file://CVE-2016-1837.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
author	Armin Kuster <akuster@mvista.com>	2016-07-09 15:01:15 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-07-27 08:29:38 +0100
commit	d0e3cc8c9234083a4ad6a0c1befe02b6076b084c (patch)
tree	8db674ebc2114a98f91b84d848fce8e66b8b403b
parent	6f6132dc3aeb0d660c9730f6f33e9194a6098226 (diff)
download	openembedded-core-contrib-d0e3cc8c9234083a4ad6a0c1befe02b6076b084c.tar.gz