CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

libxml2: Security fix for CVE-2016-1834.patch

Browse Source 
(From OE-Core rev: 233f3b29760c878a3acb3aa0e22b7c252f17e2b3)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster 2016-07-09 14:29:54 -07:00 committed by Richard Purdie
parent f01272c3a5
commit b3c799c831
2 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
meta/recipes-core/libxml/libxml2/CVE-2016-1834.patch Normal file
View File

@ -0,0 +1,55 @@
From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Tue, 8 Mar 2016 17:29:00 -0800
Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat
<https://bugzilla.gnome.org/show_bug.cgi?id=763071>
* xmlstring.c:
(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
(xmlStrncatNew): Ditto.
Upstream-Status: Backport
CVE: CVE-2016-1834
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
xmlstring.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/xmlstring.c b/xmlstring.c
index b89c9e9..00287d4 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
return(xmlStrndup(add, len));
size = xmlStrlen(cur);
+ if (size < 0)
+ return(NULL);
ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
if (ret == NULL) {
xmlErrMemory(NULL, NULL);
@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
int size;
xmlChar *ret;
- if (len < 0)
+ if (len < 0) {
len = xmlStrlen(str2);
+ if (len < 0)
+ return(NULL);
+ }
if ((str2 == NULL) || (len == 0))
return(xmlStrdup(str1));
if (str1 == NULL)
return(xmlStrndup(str2, len));
size = xmlStrlen(str1);
+ if (size < 0)
+ return(NULL);
ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
if (ret == NULL) {
xmlErrMemory(NULL, NULL);
--
2.3.5

1
meta/recipes-core/libxml/libxml2_2.9.2.bb
View File

@ -6,6 +6,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
"
SRC_URI += "file://CVE-2016-1762.patch \
file://CVE-2016-3705.patch \
file://CVE-2016-1834.patch \
"
SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"