libxml2: Security fix for CVE-2016-4448

Affects libxml2 < 2.9.4

(From OE-Core rev: d4343f428c89c6c238cc7cd4c4732448a00003e4)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch

@@ -0,0 +1,208 @@
+From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Mon, 23 May 2016 14:58:41 +0800
+Subject: [PATCH] More format string warnings with possible format string
+ vulnerability
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+adds a new xmlEscapeFormatString() function to escape composed format
+strings
+
+Upstream-Status: Backport
+CVE: CVE-2016-4448 patch #2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxml.h     |  3 +++
+ relaxng.c    |  3 ++-
+ xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
+ xmlstring.c  | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 86 insertions(+), 14 deletions(-)
+
+Index: libxml2-2.9.2/libxml.h
+===================================================================
+--- libxml2-2.9.2.orig/libxml.h
++++ libxml2-2.9.2/libxml.h
+@@ -9,6 +9,8 @@
+ #ifndef __XML_LIBXML_H__
+ #define __XML_LIBXML_H__
+ 
++#include <libxml/xmlstring.h>
++
+ #ifndef NO_LARGEFILE_SOURCE
+ #ifndef _LARGEFILE_SOURCE
+ #define _LARGEFILE_SOURCE
+@@ -96,6 +98,7 @@ int __xmlInitializeDict(void);
+ int __xmlRandom(void);
+ #endif
+ 
++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
+ int xmlNop(void);
+ 
+ #ifdef IN_LIBXML
+Index: libxml2-2.9.2/relaxng.c
+===================================================================
+--- libxml2-2.9.2.orig/relaxng.c
++++ libxml2-2.9.2/relaxng.c
+@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid
+         snprintf(msg, 1000, "Unknown error code %d\n", err);
+     }
+     msg[1000 - 1] = 0;
+-    return (xmlStrdup((xmlChar *) msg));
++    xmlChar *result = xmlCharStrdup(msg);
++    return (xmlEscapeFormatString(&result));
+ }
+ 
+ /**
+Index: libxml2-2.9.2/xmlschemas.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlschemas.c
++++ libxml2-2.9.2/xmlschemas.c
+@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b
+     }
+     FREE_AND_NULL(str)
+ 
+-    return (*buf);
++    return (xmlEscapeFormatString(buf));
+ }
+ 
+ /**
+@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+ 	TODO
+ 	return (NULL);
+     }
++
++    /*
++     * xmlSchemaFormatItemForReport() also returns an escaped format
++     * string, so do this before calling it below (in the future).
++     */
++    xmlEscapeFormatString(msg);
++
+     /*
+     * VAL TODO: The output of the given schema component is currently
+     * disabled.
+@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract
+ 	msg = xmlStrcat(msg, BAD_CAST " '");
+ 	if (type->builtInType != 0) {
+ 	    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-	    msg = xmlStrcat(msg, type->name);
+-	} else
+-	    msg = xmlStrcat(msg,
+-		xmlSchemaFormatQName(&str,
+-		    type->targetNamespace, type->name));
++	    str = xmlStrdup(type->name);
++	} else {
++	    const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++	    if (!str)
++		str = xmlStrdup(qName);
++	}
++	msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 	msg = xmlStrcat(msg, BAD_CAST "'");
+ 	FREE_AND_NULL(str);
+     }
+@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
+ 		str = xmlStrcat(str, BAD_CAST ", ");
+ 	}
+ 	str = xmlStrcat(str, BAD_CAST " ).\n");
+-	msg = xmlStrcat(msg, BAD_CAST str);
++	msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 	FREE_AND_NULL(str)
+     } else
+       msg = xmlStrcat(msg, BAD_CAST "\n");
+@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+ 		msg = xmlStrcat(msg, BAD_CAST " '");
+ 		if (type->builtInType != 0) {
+ 		    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-		    msg = xmlStrcat(msg, type->name);
+-		} else
+-		    msg = xmlStrcat(msg,
+-			xmlSchemaFormatQName(&str,
+-			    type->targetNamespace, type->name));
++		    str = xmlStrdup(type->name);
++		} else {
++		    const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++		    if (!str)
++			str = xmlStrdup(qName);
++		}
++		msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 		msg = xmlStrcat(msg, BAD_CAST "'.");
+ 		FREE_AND_NULL(str);
+ 	    }
+@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+ 	}
+ 	if (expected) {
+ 	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");
+-	    msg = xmlStrcat(msg, BAD_CAST expected);
++	    xmlChar *expectedEscaped = xmlCharStrdup(expected);
++	    msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
++	    FREE_AND_NULL(expectedEscaped);
+ 	    msg = xmlStrcat(msg, BAD_CAST "'.\n");
+ 	} else
+ 	    msg = xmlStrcat(msg, BAD_CAST "\n");
+Index: libxml2-2.9.2/xmlstring.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlstring.c
++++ libxml2-2.9.2/xmlstring.c
+@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st
+     return(xmlUTF8Strndup(utf, len));
+ }
+ 
++/**
++ * xmlEscapeFormatString:
++ * @msg:  a pointer to the string in which to escape '%' characters.
++ * Must be a heap-allocated buffer created by libxml2 that may be
++ * returned, or that may be freed and replaced.
++ *
++ * Replaces the string pointed to by 'msg' with an escaped string.
++ * Returns the same string with all '%' characters escaped.
++ */
++xmlChar *
++xmlEscapeFormatString(xmlChar **msg)
++{
++    xmlChar *msgPtr = NULL;
++    xmlChar *result = NULL;
++    xmlChar *resultPtr = NULL;
++    size_t count = 0;
++    size_t msgLen = 0;
++    size_t resultLen = 0;
++
++    if (!msg || !*msg)
++        return(NULL);
++
++    for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
++        ++msgLen;
++        if (*msgPtr == '%')
++            ++count;
++    }
++
++    if (count == 0)
++        return(*msg);
++
++    resultLen = msgLen + count + 1;
++    result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
++    if (result == NULL) {
++        /* Clear *msg to prevent format string vulnerabilities in
++           out-of-memory situations. */
++        xmlFree(*msg);
++        *msg = NULL;
++        xmlErrMemory(NULL, NULL);
++        return(NULL);
++    }
++
++    for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
++        *resultPtr = *msgPtr;
++        if (*msgPtr == '%')
++            *(++resultPtr) = '%';
++    }
++    result[resultLen - 1] = '\0';
++
++    xmlFree(*msg);
++    *msg = result;
++
++    return *msg;
++}
++
+ #define bottom_xmlstring
+ #include "elfgcchack.h"

meta/recipes-core/libxml/libxml2_2.9.2.bb

@@ -18,6 +18,8 @@ SRC_URI += "file://CVE-2016-1762.patch \
             file://CVE-2016-1833.patch \
             file://CVE-2016-3627.patch \
             file://CVE-2016-4447.patch \
+            file://CVE-2016-4448_1.patch \
+            file://CVE-2016-4448_2.patch \
     "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"