mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-31 12:49:46 +00:00
Code Issues Projects Releases Wiki Activity

libxml2: Security fix for CVE-2016-1837

Browse Source 
Affects libxml2 < 2.9.4

(From OE-Core rev: d0e3cc8c9234083a4ad6a0c1befe02b6076b084c)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2016-07-09 15:01:15 -07:00
committed by Richard Purdie
parent 94d9c374e9
commit f96cfb009d
2 changed files with 144 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch
+143
View File
@@ -0,0 +1,143 @@
From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Wed, 2 Mar 2016 15:52:24 -0800
Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
htmlParseSystemiteral
For https://bugzilla.gnome.org/show_bug.cgi?id=760263
* HTMLparser.c: Add BASE_PTR convenience macro.
(htmlParseSystemLiteral): Store length and start position instead
of a pointer while iterating through the public identifier since
the underlying buffer may change, resulting in a stale pointer
being used.
(htmlParsePubidLiteral): Ditto.
Upstream-status: Backport
CVE: CVE-2016-1837.patch
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 43 insertions(+), 15 deletions(-)
Index: libxml2-2.9.2/HTMLparser.c
===================================================================
--- libxml2-2.9.2.orig/HTMLparser.c
+++ libxml2-2.9.2/HTMLparser.c
@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
#define UPP(val) (toupper(ctxt->input->cur[(val)]))
#define CUR_PTR ctxt->input->cur
+#define BASE_PTR ctxt->input->base
#define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
(ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
static xmlChar *
htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
- const xmlChar *q;
+ size_t len = 0, startPosition = 0;
xmlChar *ret = NULL;
if (CUR == '"') {
NEXT;
- q = CUR_PTR;
- while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
NEXT;
+ len++;
+ }
if (!IS_CHAR_CH(CUR)) {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished SystemLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR+startPosition), len);
NEXT;
}
} else if (CUR == '\'') {
NEXT;
- q = CUR_PTR;
- while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
NEXT;
+ len++;
+ }
if (!IS_CHAR_CH(CUR)) {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished SystemLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR+startPosition), len);
NEXT;
}
} else {
@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
static xmlChar *
htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
- const xmlChar *q;
+ size_t len = 0, startPosition = 0;
xmlChar *ret = NULL;
/*
* Name ::= (Letter | '_') (NameChar)*
*/
if (CUR == '"') {
NEXT;
- q = CUR_PTR;
- while (IS_PUBIDCHAR_CH(CUR)) NEXT;
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while (IS_PUBIDCHAR_CH(CUR)) {
+ len++;
+ NEXT;
+ }
+
if (CUR != '"') {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished PubidLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR + startPosition), len);
NEXT;
}
} else if (CUR == '\'') {
NEXT;
- q = CUR_PTR;
- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
- NEXT;
+
+ if (CUR_PTR < BASE_PTR)
+ return(ret);
+ startPosition = CUR_PTR - BASE_PTR;
+
+ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
+ len++;
+ NEXT;
+ }
+
if (CUR != '\'') {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished PubidLiteral\n", NULL, NULL);
} else {
- ret = xmlStrndup(q, CUR_PTR - q);
+ ret = xmlStrndup((BASE_PTR + startPosition), len);
NEXT;
}
} else {
meta/recipes-core/libxml/libxml2_2.9.2.bb
+1
View File
@@ -13,6 +13,7 @@ SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-1839.patch \ file://CVE-2016-1839.patch \
file://CVE-2016-1836.patch \ file://CVE-2016-1836.patch \
file://CVE-2016-4449.patch \ file://CVE-2016-4449.patch \
file://CVE-2016-1837.patch \
" "
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788" SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"