diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch | 208 |
1 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch new file mode 100644 index 0000000000..bfea8fde55 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch @@ -0,0 +1,208 @@ +From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001 +From: David Kilzer <ddkilzer@apple.com> +Date: Mon, 23 May 2016 14:58:41 +0800 +Subject: [PATCH] More format string warnings with possible format string + vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +adds a new xmlEscapeFormatString() function to escape composed format +strings + +Upstream-Status: Backport +CVE: CVE-2016-4448 patch #2 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libxml.h | 3 +++ + relaxng.c | 3 ++- + xmlschemas.c | 39 ++++++++++++++++++++++++++------------- + xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 86 insertions(+), 14 deletions(-) + +Index: libxml2-2.9.2/libxml.h +=================================================================== +--- libxml2-2.9.2.orig/libxml.h ++++ libxml2-2.9.2/libxml.h +@@ -9,6 +9,8 @@ + #ifndef __XML_LIBXML_H__ + #define __XML_LIBXML_H__ + ++#include <libxml/xmlstring.h> ++ + #ifndef NO_LARGEFILE_SOURCE + #ifndef _LARGEFILE_SOURCE + #define _LARGEFILE_SOURCE +@@ -96,6 +98,7 @@ int __xmlInitializeDict(void); + int __xmlRandom(void); + #endif + ++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); + int xmlNop(void); + + #ifdef IN_LIBXML +Index: libxml2-2.9.2/relaxng.c +=================================================================== +--- libxml2-2.9.2.orig/relaxng.c ++++ libxml2-2.9.2/relaxng.c +@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid + snprintf(msg, 1000, "Unknown error code %d\n", err); + } + msg[1000 - 1] = 0; +- return (xmlStrdup((xmlChar *) msg)); ++ xmlChar *result = xmlCharStrdup(msg); ++ return (xmlEscapeFormatString(&result)); + } + + /** +Index: libxml2-2.9.2/xmlschemas.c +=================================================================== +--- libxml2-2.9.2.orig/xmlschemas.c ++++ libxml2-2.9.2/xmlschemas.c +@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b + } + FREE_AND_NULL(str) + +- return (*buf); ++ return (xmlEscapeFormatString(buf)); + } + + /** +@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m + TODO + return (NULL); + } ++ ++ /* ++ * xmlSchemaFormatItemForReport() also returns an escaped format ++ * string, so do this before calling it below (in the future). ++ */ ++ xmlEscapeFormatString(msg); ++ + /* + * VAL TODO: The output of the given schema component is currently + * disabled. +@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'"); + FREE_AND_NULL(str); + } +@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac + str = xmlStrcat(str, BAD_CAST ", "); + } + str = xmlStrcat(str, BAD_CAST " ).\n"); +- msg = xmlStrcat(msg, BAD_CAST str); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + FREE_AND_NULL(str) + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'."); + FREE_AND_NULL(str); + } +@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC + } + if (expected) { + msg = xmlStrcat(msg, BAD_CAST " Expected is '"); +- msg = xmlStrcat(msg, BAD_CAST expected); ++ xmlChar *expectedEscaped = xmlCharStrdup(expected); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); ++ FREE_AND_NULL(expectedEscaped); + msg = xmlStrcat(msg, BAD_CAST "'.\n"); + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +Index: libxml2-2.9.2/xmlstring.c +=================================================================== +--- libxml2-2.9.2.orig/xmlstring.c ++++ libxml2-2.9.2/xmlstring.c +@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st + return(xmlUTF8Strndup(utf, len)); + } + ++/** ++ * xmlEscapeFormatString: ++ * @msg: a pointer to the string in which to escape '%' characters. ++ * Must be a heap-allocated buffer created by libxml2 that may be ++ * returned, or that may be freed and replaced. ++ * ++ * Replaces the string pointed to by 'msg' with an escaped string. ++ * Returns the same string with all '%' characters escaped. ++ */ ++xmlChar * ++xmlEscapeFormatString(xmlChar **msg) ++{ ++ xmlChar *msgPtr = NULL; ++ xmlChar *result = NULL; ++ xmlChar *resultPtr = NULL; ++ size_t count = 0; ++ size_t msgLen = 0; ++ size_t resultLen = 0; ++ ++ if (!msg || !*msg) ++ return(NULL); ++ ++ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { ++ ++msgLen; ++ if (*msgPtr == '%') ++ ++count; ++ } ++ ++ if (count == 0) ++ return(*msg); ++ ++ resultLen = msgLen + count + 1; ++ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); ++ if (result == NULL) { ++ /* Clear *msg to prevent format string vulnerabilities in ++ out-of-memory situations. */ ++ xmlFree(*msg); ++ *msg = NULL; ++ xmlErrMemory(NULL, NULL); ++ return(NULL); ++ } ++ ++ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { ++ *resultPtr = *msgPtr; ++ if (*msgPtr == '%') ++ *(++resultPtr) = '%'; ++ } ++ result[resultLen - 1] = '\0'; ++ ++ xmlFree(*msg); ++ *msg = result; ++ ++ return *msg; ++} ++ + #define bottom_xmlstring + #include "elfgcchack.h" |