From d4343f428c89c6c238cc7cd4c4732448a00003e4 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 9 Jul 2016 15:20:50 -0700 Subject: libxml2: Security fix for CVE-2016-4448 Affects libxml2 < 2.9.4 Signed-off-by: Armin Kuster --- .../libxml/libxml2/CVE-2016-4448_1.patch | 1067 ++++++++++++++++++++ .../libxml/libxml2/CVE-2016-4448_2.patch | 208 ++++ meta/recipes-core/libxml/libxml2_2.9.2.bb | 2 + 3 files changed, 1277 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch (limited to 'meta/recipes-core/libxml') diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch new file mode 100644 index 0000000000..1d08e57308 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch @@ -0,0 +1,1067 @@ +From 4472c3a5a5b516aaf59b89be602fbce52756c3e9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 13 May 2016 15:13:17 +0800 +Subject: [PATCH] Fix some format string warnings with possible format string + vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +Decorate every method in libxml2 with the appropriate +LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups +following the reports. + +Upstream-Status: Backport +CVE: CVE-2016-4448 patch #1 +Signed-off-by: Armin Kuster + +--- + HTMLparser.c | 4 +-- + SAX2.c | 12 ++++---- + catalog.c | 2 +- + configure.ac | 4 +-- + debugXML.c | 4 +-- + encoding.c | 2 +- + entities.c | 2 +- + error.c | 2 +- + include/libxml/parserInternals.h | 2 +- + include/libxml/xmlerror.h | 2 +- + include/libxml/xmlstring.h | 8 ++--- + libxml.h | 2 +- + parser.c | 37 +++++++++++----------- + parserInternals.c | 4 +-- + relaxng.c | 4 +-- + schematron.c | 2 +- + testModule.c | 2 +- + valid.c | 8 ++--- + xinclude.c | 4 +-- + xmlIO.c | 14 ++++----- + xmllint.c | 20 ++++++------ + xmlreader.c | 16 +++++++--- + xmlschemas.c | 66 ++++++++++++++++++++-------------------- + xmlstring.c | 4 +-- + xmlwriter.c | 4 +-- + xpath.c | 2 +- + xpointer.c | 2 +- + 27 files changed, 121 insertions(+), 114 deletions(-) + +Index: libxml2-2.9.2/HTMLparser.c +=================================================================== +--- libxml2-2.9.2.orig/HTMLparser.c ++++ libxml2-2.9.2/HTMLparser.c +@@ -105,7 +105,7 @@ htmlErrMemory(xmlParserCtxtPtr ctxt, con + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -132,7 +132,7 @@ htmlParseErr(xmlParserCtxtPtr ctxt, xmlP + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +Index: libxml2-2.9.2/SAX2.c +=================================================================== +--- libxml2-2.9.2.orig/SAX2.c ++++ libxml2-2.9.2/SAX2.c +@@ -55,7 +55,7 @@ + * @ctxt: an XML validation parser context + * @msg: a string to accompany the error message + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { + xmlStructuredErrorFunc schannel = NULL; + const char *str1 = "out of memory\n"; +@@ -93,7 +93,7 @@ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *str1, const char *str2) + { +@@ -133,7 +133,7 @@ xmlErrValid(xmlParserCtxtPtr ctxt, xmlPa + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -164,7 +164,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xm + * + * Handle a parser warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1) + { +@@ -189,7 +189,7 @@ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlPar + * + * Handle a namespace error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -213,7 +213,7 @@ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlPa + * + * Handle a namespace warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +Index: libxml2-2.9.2/catalog.c +=================================================================== +--- libxml2-2.9.2.orig/catalog.c ++++ libxml2-2.9.2/catalog.c +@@ -238,7 +238,7 @@ xmlCatalogErrMemory(const char *extra) + * + * Handle a catalog error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error, + const char *msg, const xmlChar *str1, const xmlChar *str2, + const xmlChar *str3) +Index: libxml2-2.9.2/configure.ac +=================================================================== +--- libxml2-2.9.2.orig/configure.ac ++++ libxml2-2.9.2/configure.ac +@@ -770,7 +770,7 @@ else + fi + + # warnings we'd like to see +- CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" ++ CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + # warnings we'd like to supress + CFLAGS="${CFLAGS} -Wno-long-long" + case "${host}" in +@@ -990,7 +990,7 @@ if [[ "${LOGNAME}" = "veillard" -a "`pwd + fi + fi + if test "${GCC}" = "yes" ; then +- CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" ++ CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + fi + STATIC_BINARIES="-static" + dnl -Wcast-qual -ansi +Index: libxml2-2.9.2/debugXML.c +=================================================================== +--- libxml2-2.9.2.orig/debugXML.c ++++ libxml2-2.9.2/debugXML.c +@@ -164,7 +164,7 @@ xmlDebugErr(xmlDebugCtxtPtr ctxt, int er + NULL, NULL, NULL, 0, 0, + "%s", msg); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) + { + ctxt->errors++; +@@ -174,7 +174,7 @@ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int e + NULL, NULL, NULL, 0, 0, + msg, extra); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra) + { + ctxt->errors++; +Index: libxml2-2.9.2/encoding.c +=================================================================== +--- libxml2-2.9.2.orig/encoding.c ++++ libxml2-2.9.2/encoding.c +@@ -93,7 +93,7 @@ xmlEncodingErrMemory(const char *extra) + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val) + { + __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, +Index: libxml2-2.9.2/entities.c +=================================================================== +--- libxml2-2.9.2.orig/entities.c ++++ libxml2-2.9.2/entities.c +@@ -83,7 +83,7 @@ xmlEntitiesErrMemory(const char *extra) + * + * Handle an out of memory condition + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEntitiesErr(xmlParserErrors code, const char *msg) + { + __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL); +Index: libxml2-2.9.2/error.c +=================================================================== +--- libxml2-2.9.2.orig/error.c ++++ libxml2-2.9.2/error.c +@@ -18,7 +18,7 @@ + + void XMLCDECL xmlGenericErrorDefaultFunc (void *ctx ATTRIBUTE_UNUSED, + const char *msg, +- ...); ++ ...) LIBXML_ATTR_FORMAT(2,3); + + #define XML_GET_VAR_STR(msg, str) { \ + int size, prev_size = -1; \ +Index: libxml2-2.9.2/include/libxml/parserInternals.h +=================================================================== +--- libxml2-2.9.2.orig/include/libxml/parserInternals.h ++++ libxml2-2.9.2/include/libxml/parserInternals.h +@@ -351,7 +351,7 @@ XMLPUBFUN void XMLCALL + xmlParserErrors xmlerr, + const char *msg, + const xmlChar * str1, +- const xmlChar * str2); ++ const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0); + #endif + + /** +Index: libxml2-2.9.2/include/libxml/xmlerror.h +=================================================================== +--- libxml2-2.9.2.orig/include/libxml/xmlerror.h ++++ libxml2-2.9.2/include/libxml/xmlerror.h +@@ -937,7 +937,7 @@ XMLPUBFUN void XMLCALL + int code, + xmlNodePtr node, + const char *msg, +- const char *extra); ++ const char *extra) LIBXML_ATTR_FORMAT(4,0); + #endif + #ifdef __cplusplus + } +Index: libxml2-2.9.2/include/libxml/xmlstring.h +=================================================================== +--- libxml2-2.9.2.orig/include/libxml/xmlstring.h ++++ libxml2-2.9.2/include/libxml/xmlstring.h +@@ -97,13 +97,13 @@ XMLPUBFUN xmlChar * XMLCALL + XMLPUBFUN int XMLCALL + xmlStrPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- ...); ++ const char *msg, ++ ...) LIBXML_ATTR_FORMAT(3,4); + XMLPUBFUN int XMLCALL + xmlStrVPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- va_list ap); ++ const char *msg, ++ va_list ap) LIBXML_ATTR_FORMAT(3,0); + + XMLPUBFUN int XMLCALL + xmlGetUTF8Char (const unsigned char *utf, +Index: libxml2-2.9.2/libxml.h +=================================================================== +--- libxml2-2.9.2.orig/libxml.h ++++ libxml2-2.9.2/libxml.h +@@ -71,7 +71,7 @@ extern int __xmlRegisterCallbacks; + * internal error reporting routines, shared but not partof the API. + */ + void __xmlIOErr(int domain, int code, const char *extra); +-void __xmlLoaderErr(void *ctx, const char *msg, const char *filename); ++void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0); + #ifdef LIBXML_HTML_ENABLED + /* + * internal function of HTML parser needed for xmlParseInNodeContext +Index: libxml2-2.9.2/parser.c +=================================================================== +--- libxml2-2.9.2.orig/parser.c ++++ libxml2-2.9.2/parser.c +@@ -350,7 +350,6 @@ static void + xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + { + const char *errmsg; +- char errstr[129] = ""; + + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && + (ctxt->instate == XML_PARSER_EOF)) +@@ -537,15 +536,17 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlPa + default: + errmsg = "Unregistered error message"; + } +- if (info == NULL) +- snprintf(errstr, 128, "%s\n", errmsg); +- else +- snprintf(errstr, 128, "%s: %%s\n", errmsg); + if (ctxt != NULL) + ctxt->errNo = error; +- __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, +- XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0], +- info); ++ if (info == NULL) { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n", ++ errmsg); ++ } else { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n", ++ errmsg, info); ++ } + if (ctxt != NULL) { + ctxt->wellFormed = 0; + if (ctxt->recovery == 0) +@@ -561,7 +562,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlPa + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg) + { +@@ -589,7 +590,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xm + * + * Handle a warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -627,7 +628,7 @@ xmlWarningMsg(xmlParserCtxtPtr ctxt, xml + * + * Handle a validity error. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -667,7 +668,7 @@ xmlValidityError(xmlParserCtxtPtr ctxt, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +@@ -697,7 +698,7 @@ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, int val, + const xmlChar *str2) +@@ -727,7 +728,7 @@ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -756,7 +757,7 @@ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, + * + * Handle a non fatal parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -781,7 +782,7 @@ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlP + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -810,7 +811,7 @@ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParse + * + * Handle a namespace warning error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -5538,7 +5539,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt + skipped = SKIP_BLANKS; + if (skipped == 0) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, +- "Space required after '%'\n"); ++ "Space required after '%%'\n"); + } + isParameter = 1; + } +Index: libxml2-2.9.2/parserInternals.c +=================================================================== +--- libxml2-2.9.2.orig/parserInternals.c ++++ libxml2-2.9.2/parserInternals.c +@@ -169,7 +169,7 @@ __xmlErrEncoding(xmlParserCtxtPtr ctxt, + * + * Handle an internal error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) + { + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && +@@ -197,7 +197,7 @@ xmlErrInternal(xmlParserCtxtPtr ctxt, co + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +Index: libxml2-2.9.2/relaxng.c +=================================================================== +--- libxml2-2.9.2.orig/relaxng.c ++++ libxml2-2.9.2/relaxng.c +@@ -507,7 +507,7 @@ xmlRngVErrMemory(xmlRelaxNGValidCtxtPtr + * + * Handle a Relax NG Parsing error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -541,7 +541,7 @@ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, + * + * Handle a Relax NG Validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +Index: libxml2-2.9.2/schematron.c +=================================================================== +--- libxml2-2.9.2.orig/schematron.c ++++ libxml2-2.9.2/schematron.c +@@ -245,7 +245,7 @@ xmlSchematronPErrMemory(xmlSchematronPar + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +Index: libxml2-2.9.2/testModule.c +=================================================================== +--- libxml2-2.9.2.orig/testModule.c ++++ libxml2-2.9.2/testModule.c +@@ -47,7 +47,7 @@ int main(int argc ATTRIBUTE_UNUSED, char + + /* build the module filename, and confirm the module exists */ + xmlStrPrintf(filename, sizeof(filename), +- (const xmlChar*) "%s/testdso%s", ++ "%s/testdso%s", + (const xmlChar*)MODULE_PATH, + (const xmlChar*)LIBXML_MODULE_EXTENSION); + +Index: libxml2-2.9.2/valid.c +=================================================================== +--- libxml2-2.9.2.orig/valid.c ++++ libxml2-2.9.2/valid.c +@@ -93,7 +93,7 @@ xmlVErrMemory(xmlValidCtxtPtr ctxt, cons + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *extra) + { +@@ -137,7 +137,7 @@ xmlErrValid(xmlValidCtxtPtr ctxt, xmlPar + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNode(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -180,7 +180,7 @@ xmlErrValidNode(xmlValidCtxtPtr ctxt, + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -221,7 +221,7 @@ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + * + * Handle a validation error, provide contextual information + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidWarning(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +Index: libxml2-2.9.2/xinclude.c +=================================================================== +--- libxml2-2.9.2.orig/xinclude.c ++++ libxml2-2.9.2/xinclude.c +@@ -125,7 +125,7 @@ xmlXIncludeErrMemory(xmlXIncludeCtxtPtr + * + * Handle an XInclude error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +@@ -147,7 +147,7 @@ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, + * + * Emit an XInclude warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +Index: libxml2-2.9.2/xmlIO.c +=================================================================== +--- libxml2-2.9.2.orig/xmlIO.c ++++ libxml2-2.9.2/xmlIO.c +@@ -1604,7 +1604,7 @@ xmlCreateZMemBuff( int compression ) { + xmlFreeZMemBuff( buff ); + buff = NULL; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlCreateZMemBuff: %s %d\n", ++ "xmlCreateZMemBuff: %s %d\n", + "Error initializing compression context. ZLIB error:", + z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1672,7 +1672,7 @@ xmlZMemBuffExtend( xmlZMemBuffPtr buff, + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffExtend: %s %lu bytes.\n", ++ "xmlZMemBuffExtend: %s %lu bytes.\n", + "Allocation failure extending output buffer to", + new_size ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1718,7 +1718,7 @@ xmlZMemBuffAppend( xmlZMemBuffPtr buff, + if ( z_err != Z_OK ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffAppend: %s %d %s - %d", ++ "xmlZMemBuffAppend: %s %d %s - %d", + "Compression error while appending", + len, "bytes to buffer. ZLIB error", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1791,7 +1791,7 @@ xmlZMemBuffGetContent( xmlZMemBuffPtr bu + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffGetContent: %s - %d\n", ++ "xmlZMemBuffGetContent: %s - %d\n", + "Error flushing zlib buffers. Error code", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); + } +@@ -1996,7 +1996,7 @@ xmlIOHTTPWrite( void * context, const ch + if ( len < 0 ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPWrite: %s\n%s '%s'.\n", ++ "xmlIOHTTPWrite: %s\n%s '%s'.\n", + "Error appending to internal buffer.", + "Error sending document to URI", + ctxt->uri ); +@@ -2068,7 +2068,7 @@ xmlIOHTTPCloseWrite( void * context, con + if ( http_content == NULL ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", ++ "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", + "Error retrieving content.\nUnable to", + http_mthd, "data to URI", ctxt->uri ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -2140,7 +2140,7 @@ xmlIOHTTPCloseWrite( void * context, con + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", ++ "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", + http_mthd, content_lgth, + "bytes to URI", ctxt->uri, + "failed. HTTP return code:", http_rtn ); +Index: libxml2-2.9.2/xmllint.c +=================================================================== +--- libxml2-2.9.2.orig/xmllint.c ++++ libxml2-2.9.2/xmllint.c +@@ -449,7 +449,7 @@ startTimer(void) + * message about the timing performed; format is a printf + * type argument + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -485,7 +485,7 @@ startTimer(void) + { + begin = clock(); + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -514,7 +514,7 @@ startTimer(void) + * Do nothing + */ + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(char *format, ...) + { + /* +@@ -634,7 +634,7 @@ xmlHTMLPrintFileContext(xmlParserInputPt + * Display and format an error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -671,7 +671,7 @@ xmlHTMLError(void *ctx, const char *msg, + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -709,7 +709,7 @@ xmlHTMLWarning(void *ctx, const char *ms + * Display and format an validity error messages, gives file, + * line, position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -746,7 +746,7 @@ xmlHTMLValidityError(void *ctx, const ch + * Display and format a validity warning messages, gives file, line, + * position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -1410,7 +1410,7 @@ commentDebug(void *ctx ATTRIBUTE_UNUSED, + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1433,7 +1433,7 @@ warningDebug(void *ctx ATTRIBUTE_UNUSED, + * Display and format a error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1456,7 +1456,7 @@ errorDebug(void *ctx ATTRIBUTE_UNUSED, c + * Display and format a fatalError messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +Index: libxml2-2.9.2/xmlreader.c +=================================================================== +--- libxml2-2.9.2.orig/xmlreader.c ++++ libxml2-2.9.2/xmlreader.c +@@ -4050,13 +4050,19 @@ xmlTextReaderCurrentDoc(xmlTextReaderPtr + } + + #ifdef LIBXML_SCHEMAS_ENABLED +-static char *xmlTextReaderBuildMessage(const char *msg, va_list ap); ++static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0); + + static void XMLCDECL +-xmlTextReaderValidityError(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL +-xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL + xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) +@@ -4850,7 +4856,7 @@ xmlTextReaderStructuredError(void *ctxt, + } + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderError(void *ctxt, const char *msg, ...) + { + va_list ap; +@@ -4863,7 +4869,7 @@ xmlTextReaderError(void *ctxt, const cha + + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderWarning(void *ctxt, const char *msg, ...) + { + va_list ap; +Index: libxml2-2.9.2/xmlschemas.c +=================================================================== +--- libxml2-2.9.2.orig/xmlschemas.c ++++ libxml2-2.9.2/xmlschemas.c +@@ -1085,7 +1085,7 @@ xmlSchemaGetUnionSimpleTypeMemberTypes(x + static void + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, +- const char *message); ++ const char *message) LIBXML_ATTR_FORMAT(3,0); + static int + xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt, + xmlSchemaTypePtr type, +@@ -1889,7 +1889,7 @@ xmlSchemaPErrMemory(xmlSchemaParserCtxtP + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -1922,7 +1922,7 @@ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctx + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + xmlNodePtr child, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) +@@ -1951,7 +1951,7 @@ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ct + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(7,0) + xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const xmlChar * strData1, const xmlChar * strData2, + const xmlChar * strData3, const char *msg, const xmlChar * str1, +@@ -2002,7 +2002,7 @@ xmlSchemaVErrMemory(xmlSchemaValidCtxtPt + extra); + } + +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSchemaPSimpleInternalErr(xmlNodePtr node, + const char *msg, const xmlChar *str) + { +@@ -2013,18 +2013,21 @@ xmlSchemaPSimpleInternalErr(xmlNodePtr n + #define WXS_ERROR_TYPE_ERROR 1 + #define WXS_ERROR_TYPE_WARNING 2 + /** +- * xmlSchemaErr3: ++ * xmlSchemaErr4Line: + * @ctxt: the validation context +- * @node: the context node ++ * @errorLevel: the error level + * @error: the error code ++ * @node: the context node ++ * @line: the line number + * @msg: the error message + * @str1: extra data + * @str2: extra data + * @str3: extra data ++ * @str4: extra data + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, + xmlErrorLevel errorLevel, + int error, xmlNodePtr node, int line, const char *msg, +@@ -2139,7 +2142,7 @@ xmlSchemaErr4Line(xmlSchemaAbstractCtxtP + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) +@@ -2148,7 +2151,7 @@ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr a + msg, str1, str2, str3, NULL); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, +@@ -2158,7 +2161,7 @@ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr a + msg, str1, str2, str3, str4); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2) +@@ -2181,7 +2184,7 @@ xmlSchemaFormatNodeForError(xmlChar ** m + /* + * Don't try to format other nodes than element and + * attribute nodes. +- * Play save and return an empty string. ++ * Play safe and return an empty string. + */ + *msg = xmlStrdup(BAD_CAST ""); + return(*msg); +@@ -2262,7 +2265,7 @@ xmlSchemaFormatNodeForError(xmlChar ** m + return (*msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message, +@@ -2273,24 +2276,21 @@ xmlSchemaInternalErr2(xmlSchemaAbstractC + + if (actxt == NULL) + return; +- msg = xmlStrdup(BAD_CAST "Internal error: "); +- msg = xmlStrcat(msg, BAD_CAST funcName); +- msg = xmlStrcat(msg, BAD_CAST ", "); ++ msg = xmlStrdup(BAD_CAST "Internal error: %s, "); + msg = xmlStrcat(msg, BAD_CAST message); + msg = xmlStrcat(msg, BAD_CAST ".\n"); + + if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR) +- xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL, +- (const char *) msg, str1, str2); +- ++ xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + else if (actxt->type == XML_SCHEMA_CTXT_PARSER) +- xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL, +- (const char *) msg, str1, str2); ++ xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message) +@@ -2299,7 +2299,7 @@ xmlSchemaInternalErr(xmlSchemaAbstractCt + } + + #if 0 +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, + const char *funcName, + const char *message, +@@ -2311,7 +2311,7 @@ xmlSchemaPInternalErr(xmlSchemaParserCtx + } + #endif + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2336,7 +2336,7 @@ xmlSchemaCustomErr4(xmlSchemaAbstractCtx + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2351,7 +2351,7 @@ xmlSchemaCustomErr(xmlSchemaAbstractCtxt + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2376,7 +2376,7 @@ xmlSchemaCustomWarning(xmlSchemaAbstract + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt, + xmlParserErrors error, + xmlSchemaPSVIIDCNodePtr idcNode, +@@ -2525,7 +2525,7 @@ xmlSchemaIllegalAttrErr(xmlSchemaAbstrac + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2625,7 +2625,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac + xmlFree(msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2916,7 +2916,7 @@ xmlSchemaPIllegalAttrErr(xmlSchemaParser + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2952,7 +2952,7 @@ xmlSchemaPCustomErrExt(xmlSchemaParserCt + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2977,7 +2977,7 @@ xmlSchemaPCustomErr(xmlSchemaParserCtxtP + * + * Reports an attribute use error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -3099,7 +3099,7 @@ xmlSchemaPMutualExclAttrErr(xmlSchemaPar + * Reports a simple type validation error. + * TODO: Should this report the value of an element as well? + */ +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED, +Index: libxml2-2.9.2/xmlstring.c +=================================================================== +--- libxml2-2.9.2.orig/xmlstring.c ++++ libxml2-2.9.2/xmlstring.c +@@ -545,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *a + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int XMLCDECL +-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { ++xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) { + va_list args; + int ret; + +@@ -573,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, cons + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int +-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) { ++xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) { + int ret; + + if((buf == NULL) || (msg == NULL)) { +Index: libxml2-2.9.2/xmlwriter.c +=================================================================== +--- libxml2-2.9.2.orig/xmlwriter.c ++++ libxml2-2.9.2/xmlwriter.c +@@ -113,7 +113,7 @@ static int xmlTextWriterWriteDocCallback + const xmlChar * str, int len); + static int xmlTextWriterCloseDocCallback(void *context); + +-static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr); ++static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0); + static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len, + const unsigned char *data); + static void xmlTextWriterStartDocumentCallback(void *ctx); +@@ -153,7 +153,7 @@ xmlWriterErrMsg(xmlTextWriterPtr ctxt, x + * + * Handle a writer error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +Index: libxml2-2.9.2/xpath.c +=================================================================== +--- libxml2-2.9.2.orig/xpath.c ++++ libxml2-2.9.2/xpath.c +@@ -639,7 +639,7 @@ xmlXPathErrMemory(xmlXPathContextPtr ctx + xmlChar buf[200]; + + xmlStrPrintf(buf, 200, +- BAD_CAST "Memory allocation failed : %s\n", ++ "Memory allocation failed : %s\n", + extra); + ctxt->lastError.message = (char *) xmlStrdup(buf); + } else { +Index: libxml2-2.9.2/xpointer.c +=================================================================== +--- libxml2-2.9.2.orig/xpointer.c ++++ libxml2-2.9.2/xpointer.c +@@ -85,7 +85,7 @@ xmlXPtrErrMemory(const char *extra) + * + * Handle a redefinition of attribute error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error, + const char * msg, const xmlChar *extra) + { diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch new file mode 100644 index 0000000000..bfea8fde55 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch @@ -0,0 +1,208 @@ +From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Mon, 23 May 2016 14:58:41 +0800 +Subject: [PATCH] More format string warnings with possible format string + vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +adds a new xmlEscapeFormatString() function to escape composed format +strings + +Upstream-Status: Backport +CVE: CVE-2016-4448 patch #2 + +Signed-off-by: Armin Kuster + +--- + libxml.h | 3 +++ + relaxng.c | 3 ++- + xmlschemas.c | 39 ++++++++++++++++++++++++++------------- + xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 86 insertions(+), 14 deletions(-) + +Index: libxml2-2.9.2/libxml.h +=================================================================== +--- libxml2-2.9.2.orig/libxml.h ++++ libxml2-2.9.2/libxml.h +@@ -9,6 +9,8 @@ + #ifndef __XML_LIBXML_H__ + #define __XML_LIBXML_H__ + ++#include ++ + #ifndef NO_LARGEFILE_SOURCE + #ifndef _LARGEFILE_SOURCE + #define _LARGEFILE_SOURCE +@@ -96,6 +98,7 @@ int __xmlInitializeDict(void); + int __xmlRandom(void); + #endif + ++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); + int xmlNop(void); + + #ifdef IN_LIBXML +Index: libxml2-2.9.2/relaxng.c +=================================================================== +--- libxml2-2.9.2.orig/relaxng.c ++++ libxml2-2.9.2/relaxng.c +@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid + snprintf(msg, 1000, "Unknown error code %d\n", err); + } + msg[1000 - 1] = 0; +- return (xmlStrdup((xmlChar *) msg)); ++ xmlChar *result = xmlCharStrdup(msg); ++ return (xmlEscapeFormatString(&result)); + } + + /** +Index: libxml2-2.9.2/xmlschemas.c +=================================================================== +--- libxml2-2.9.2.orig/xmlschemas.c ++++ libxml2-2.9.2/xmlschemas.c +@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b + } + FREE_AND_NULL(str) + +- return (*buf); ++ return (xmlEscapeFormatString(buf)); + } + + /** +@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m + TODO + return (NULL); + } ++ ++ /* ++ * xmlSchemaFormatItemForReport() also returns an escaped format ++ * string, so do this before calling it below (in the future). ++ */ ++ xmlEscapeFormatString(msg); ++ + /* + * VAL TODO: The output of the given schema component is currently + * disabled. +@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'"); + FREE_AND_NULL(str); + } +@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac + str = xmlStrcat(str, BAD_CAST ", "); + } + str = xmlStrcat(str, BAD_CAST " ).\n"); +- msg = xmlStrcat(msg, BAD_CAST str); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + FREE_AND_NULL(str) + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'."); + FREE_AND_NULL(str); + } +@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC + } + if (expected) { + msg = xmlStrcat(msg, BAD_CAST " Expected is '"); +- msg = xmlStrcat(msg, BAD_CAST expected); ++ xmlChar *expectedEscaped = xmlCharStrdup(expected); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); ++ FREE_AND_NULL(expectedEscaped); + msg = xmlStrcat(msg, BAD_CAST "'.\n"); + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +Index: libxml2-2.9.2/xmlstring.c +=================================================================== +--- libxml2-2.9.2.orig/xmlstring.c ++++ libxml2-2.9.2/xmlstring.c +@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st + return(xmlUTF8Strndup(utf, len)); + } + ++/** ++ * xmlEscapeFormatString: ++ * @msg: a pointer to the string in which to escape '%' characters. ++ * Must be a heap-allocated buffer created by libxml2 that may be ++ * returned, or that may be freed and replaced. ++ * ++ * Replaces the string pointed to by 'msg' with an escaped string. ++ * Returns the same string with all '%' characters escaped. ++ */ ++xmlChar * ++xmlEscapeFormatString(xmlChar **msg) ++{ ++ xmlChar *msgPtr = NULL; ++ xmlChar *result = NULL; ++ xmlChar *resultPtr = NULL; ++ size_t count = 0; ++ size_t msgLen = 0; ++ size_t resultLen = 0; ++ ++ if (!msg || !*msg) ++ return(NULL); ++ ++ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { ++ ++msgLen; ++ if (*msgPtr == '%') ++ ++count; ++ } ++ ++ if (count == 0) ++ return(*msg); ++ ++ resultLen = msgLen + count + 1; ++ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); ++ if (result == NULL) { ++ /* Clear *msg to prevent format string vulnerabilities in ++ out-of-memory situations. */ ++ xmlFree(*msg); ++ *msg = NULL; ++ xmlErrMemory(NULL, NULL); ++ return(NULL); ++ } ++ ++ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { ++ *resultPtr = *msgPtr; ++ if (*msgPtr == '%') ++ *(++resultPtr) = '%'; ++ } ++ result[resultLen - 1] = '\0'; ++ ++ xmlFree(*msg); ++ *msg = result; ++ ++ return *msg; ++} ++ + #define bottom_xmlstring + #include "elfgcchack.h" diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb index c7db1de14e..e221a4f702 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.2.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb @@ -18,6 +18,8 @@ SRC_URI += "file://CVE-2016-1762.patch \ file://CVE-2016-1833.patch \ file://CVE-2016-3627.patch \ file://CVE-2016-4447.patch \ + file://CVE-2016-4448_1.patch \ + file://CVE-2016-4448_2.patch \ " SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" -- cgit 1.2.3-korg