From 9d894179128771c4a2628c103f5c39e2e6ef13c5 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Sat, 9 Jul 2016 14:54:21 -0700
Subject: libxml2: Security fix for CVE-2016-1840

affects libxml2 < 2.9.4

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libxml/libxml2/CVE-2016-1840.patch             | 37 ++++++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.2.bb          |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
new file mode 100644
index 0000000000..41de9f80d8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch
@@ -0,0 +1,37 @@
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error.  Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1840
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.2/xmlregexp.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlregexp.c
++++ libxml2-2.9.2/xmlregexp.c
+@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
+ 	ERROR("Expecting the end of a char range");
+ 	return;
+     }
+-    NEXTL(len);
++
+     /* TODO check that the values are acceptable character ranges for XML */
+     if (end < start) {
+ 	ERROR("End of range is before start of range");
+     } else {
++        NEXTL(len);
+         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ 		           XML_REGEXP_CHARVAL, start, end, NULL);
+     }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.2.bb b/meta/recipes-core/libxml/libxml2_2.9.2.bb
index 41cba644fe..563661b1fd 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-3705.patch \
             file://CVE-2016-1834.patch \
             file://CVE-2016-4483.patch \
+            file://CVE-2016-1840.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
-- 
cgit 1.2.3-korg