1 files changed, 37 insertions, 0 deletions

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
new file mode 100644
index 0000000000..41de9f80d8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
@@ -0,0 +1,37 @@
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error.  Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1840
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.2/xmlregexp.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlregexp.c
++++ libxml2-2.9.2/xmlregexp.c
+@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
+ 	ERROR("Expecting the end of a char range");
+ 	return;
+     }
+-    NEXTL(len);
++
+     /* TODO check that the values are acceptable character ranges for XML */
+     if (end < start) {
+ 	ERROR("End of range is before start of range");
+     } else {
++        NEXTL(len);
+         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ 		           XML_REGEXP_CHARVAL, start, end, NULL);
+     }