From 559ccc284987846c5b266cc2bc5ecd91c1c155f9 Mon Sep 17 00:00:00 2001
From: Thiruvadi Rajaraman <trajaraman@mvista.com>
Date: Sat, 4 Nov 2017 08:10:45 -0700
Subject: curl: Security fix for CVE-2016-9586

Affected versions: libcurl 7.1 to and including 7.51.0
Not affected versions: libcurl >= 7.52.0

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-support/curl/curl/CVE-2016-9586.patch | 66 ++++++++++++++++++++++
 meta/recipes-support/curl/curl_7.50.1.bb           |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-9586.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-9586.patch b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
new file mode 100644
index 0000000000..1103cb05d8
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-9586.patch
@@ -0,0 +1,66 @@
+commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
+Author: Daniel Stenberg <daniel@haxx.se>
+Date:   Tue Nov 8 15:32:37 2016 +0100
+
+    printf: fix floating point buffer overflow issues
+
+    ... and add a bunch of floating point printf tests
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-9586.patch
+dropped the tests as they require more changes to work.
+
+CVE: CVE-2016-9586
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: curl-7.50.1/lib/mprintf.c
+===================================================================
+--- curl-7.50.1.orig/lib/mprintf.c	2017-06-15 18:24:08.934720707 +0530
++++ curl-7.50.1/lib/mprintf.c	2017-06-15 18:24:09.318720721 +0530
+@@ -92,7 +92,8 @@
+ #  define mp_uintmax_t unsigned long
+ #endif
+ 
+-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
++#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
++                        fit negative DBL_MAX (317 letters) */
+ #define MAX_PARAMETERS 128 /* lame static limit */
+ 
+ #ifdef __AMIGA__
+@@ -910,12 +911,25 @@
+         *fptr = 0;
+ 
+         if(width >= 0) {
++          if(width >= (long)sizeof(work))
++            width = sizeof(work)-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, "%ld", width);
+           fptr += len;
+           left -= len;
+         }
+         if(prec >= 0) {
++          /* for each digit in the integer part, we can have one less
++             precision */
++          size_t maxprec = sizeof(work) - 2;
++          double val = p->data.dnum;
++          while(val >= 10.0) {
++            val /= 10;
++            maxprec--;
++          }
++
++          if(prec > (long)maxprec)
++            prec = maxprec-1;
+           /* RECURSIVE USAGE */
+           len = curl_msnprintf(fptr, left, ".%ld", prec);
+           fptr += len;
+@@ -935,7 +949,9 @@
+         /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
+            output characters */
+         (sprintf)(work, formatbuf, p->data.dnum);
+-
++#ifdef CURLDEBUG
++        assert(strlen(work) <= sizeof(work));
++#endif
+         for(fptr=work; *fptr; fptr++)
+           OUTCHAR(*fptr);
+       }
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.50.1.bb
index bdf5d73b31..67bbdebfe7 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.50.1.bb
@@ -21,6 +21,7 @@ SRC_URI += " file://configure_ac.patch \
              file://CVE-2016-8623.patch \
              file://CVE-2016-8617.patch \
              file://CVE-2016-8624.patch \
+             file://CVE-2016-9586.patch \
            "
 
 SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
-- 
cgit 1.2.3-korg