libxml2: Security fix for CVE-2016-4448

Affects libxml2 < 2.9.4 (From OE-Core rev: d4343f428c89c6c238cc7cd4c4732448a00003e4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-07-19 21:09:03 +02:00 · 2016-07-09 15:20:50 -07:00 · 2016-07-09 15:20:50 -07:00 · 3b2c540986
commit 3b2c540986
parent ad7cab35ff
3 changed files with 1277 additions and 0 deletions
--- a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_1.patch
--- a/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch
@ -0,0 +1,208 @@
+From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Mon, 23 May 2016 14:58:41 +0800
+Subject: [PATCH] More format string warnings with possible format string
+ vulnerability
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+adds a new xmlEscapeFormatString() function to escape composed format
+strings
+
+Upstream-Status: Backport
+CVE: CVE-2016-4448 patch #2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxml.h     |  3 +++
+ relaxng.c    |  3 ++-
+ xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
+ xmlstring.c  | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 86 insertions(+), 14 deletions(-)
+
+Index: libxml2-2.9.2/libxml.h
+===================================================================
+--- libxml2-2.9.2.orig/libxml.h
+++ libxml2-2.9.2/libxml.h
+@@ -9,6 +9,8 @@
+ #ifndef __XML_LIBXML_H__
+ #define __XML_LIBXML_H__
+ 
+#include <libxml/xmlstring.h>
+
+ #ifndef NO_LARGEFILE_SOURCE
+ #ifndef _LARGEFILE_SOURCE
+ #define _LARGEFILE_SOURCE
+@@ -96,6 +98,7 @@ int __xmlInitializeDict(void);
+ int __xmlRandom(void);
+ #endif
+ 
+XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
+ int xmlNop(void);
+ 
+ #ifdef IN_LIBXML
+Index: libxml2-2.9.2/relaxng.c
+===================================================================
+--- libxml2-2.9.2.orig/relaxng.c
+++ libxml2-2.9.2/relaxng.c
+@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid
+         snprintf(msg, 1000, "Unknown error code %d\n", err);
+     }
+     msg[1000 - 1] = 0;
+-    return (xmlStrdup((xmlChar *) msg));
+    xmlChar *result = xmlCharStrdup(msg);
+    return (xmlEscapeFormatString(&result));
+ }
+ 
+ /**
+Index: libxml2-2.9.2/xmlschemas.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlschemas.c
+++ libxml2-2.9.2/xmlschemas.c
+@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b
+     }
+     FREE_AND_NULL(str)
+ 
+-    return (*buf);
+    return (xmlEscapeFormatString(buf));
+ }
+ 
+ /**
+@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+ 	TODO
+ 	return (NULL);
+     }
+
+    /*
+     * xmlSchemaFormatItemForReport() also returns an escaped format
+     * string, so do this before calling it below (in the future).
+     */
+    xmlEscapeFormatString(msg);
+
+     /*
+     * VAL TODO: The output of the given schema component is currently
+     * disabled.
+@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract
+ 	msg = xmlStrcat(msg, BAD_CAST " '");
+ 	if (type->builtInType != 0) {
+ 	    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-	    msg = xmlStrcat(msg, type->name);
+-	} else
+-	    msg = xmlStrcat(msg,
+-		xmlSchemaFormatQName(&str,
+-		    type->targetNamespace, type->name));
+	    str = xmlStrdup(type->name);
+	} else {
+	    const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
+	    if (!str)
+		str = xmlStrdup(qName);
+	}
+	msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 	msg = xmlStrcat(msg, BAD_CAST "'");
+ 	FREE_AND_NULL(str);
+     }
+@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
+ 		str = xmlStrcat(str, BAD_CAST ", ");
+ 	}
+ 	str = xmlStrcat(str, BAD_CAST " ).\n");
+-	msg = xmlStrcat(msg, BAD_CAST str);
+	msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 	FREE_AND_NULL(str)
+     } else
+       msg = xmlStrcat(msg, BAD_CAST "\n");
+@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+ 		msg = xmlStrcat(msg, BAD_CAST " '");
+ 		if (type->builtInType != 0) {
+ 		    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-		    msg = xmlStrcat(msg, type->name);
+-		} else
+-		    msg = xmlStrcat(msg,
+-			xmlSchemaFormatQName(&str,
+-			    type->targetNamespace, type->name));
+		    str = xmlStrdup(type->name);
+		} else {
+		    const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
+		    if (!str)
+			str = xmlStrdup(qName);
+		}
+		msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 		msg = xmlStrcat(msg, BAD_CAST "'.");
+ 		FREE_AND_NULL(str);
+ 	    }
+@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+ 	}
+ 	if (expected) {
+ 	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");
+-	    msg = xmlStrcat(msg, BAD_CAST expected);
+	    xmlChar *expectedEscaped = xmlCharStrdup(expected);
+	    msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
+	    FREE_AND_NULL(expectedEscaped);
+ 	    msg = xmlStrcat(msg, BAD_CAST "'.\n");
+ 	} else
+ 	    msg = xmlStrcat(msg, BAD_CAST "\n");
+Index: libxml2-2.9.2/xmlstring.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlstring.c
+++ libxml2-2.9.2/xmlstring.c
+@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st
+     return(xmlUTF8Strndup(utf, len));
+ }
+ 
+/**
+ * xmlEscapeFormatString:
+ * @msg:  a pointer to the string in which to escape '%' characters.
+ * Must be a heap-allocated buffer created by libxml2 that may be
+ * returned, or that may be freed and replaced.
+ *
+ * Replaces the string pointed to by 'msg' with an escaped string.
+ * Returns the same string with all '%' characters escaped.
+ */
+xmlChar *
+xmlEscapeFormatString(xmlChar **msg)
+{
+    xmlChar *msgPtr = NULL;
+    xmlChar *result = NULL;
+    xmlChar *resultPtr = NULL;
+    size_t count = 0;
+    size_t msgLen = 0;
+    size_t resultLen = 0;
+
+    if (!msg || !*msg)
+        return(NULL);
+
+    for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
+        ++msgLen;
+        if (*msgPtr == '%')
+            ++count;
+    }
+
+    if (count == 0)
+        return(*msg);
+
+    resultLen = msgLen + count + 1;
+    result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
+    if (result == NULL) {
+        /* Clear *msg to prevent format string vulnerabilities in
+           out-of-memory situations. */
+        xmlFree(*msg);
+        *msg = NULL;
+        xmlErrMemory(NULL, NULL);
+        return(NULL);
+    }
+
+    for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
+        *resultPtr = *msgPtr;
+        if (*msgPtr == '%')
+            *(++resultPtr) = '%';
+    }
+    result[resultLen - 1] = '\0';
+
+    xmlFree(*msg);
+    *msg = result;
+
+    return *msg;
+}
+
+ #define bottom_xmlstring
+ #include "elfgcchack.h"
--- a/meta/recipes-core/libxml/libxml2_2.9.2.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.2.bb
@ -18,6 +18,8 @@ SRC_URI += "file://CVE-2016-1762.patch \
            file://CVE-2016-1833.patch \
            file://CVE-2016-3627.patch \
            file://CVE-2016-4447.patch \
+            file://CVE-2016-4448_1.patch \
+            file://CVE-2016-4448_2.patch \
    "

 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"