zlib: Fix CVE-2016-9840

Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9

https://nvd.nist.gov/vuln/detail/CVE-2016-9840

(From OE-Core rev: c34064cceeb56806ed8ddf3aff73a3971378066c)

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch

@@ -0,0 +1,77 @@
+commit 6a043145ca6e9c55184013841a67b2fef87e44c0
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date:   Wed Sep 21 23:35:50 2016 -0700
+
+    Remove offset pointer optimization in inftrees.c.
+    
+    inftrees.c was subtracting an offset from a pointer to an array,
+    in order to provide a pointer that allowed indexing starting at
+    the offset. This is not compliant with the C standard, for which
+    the behavior of a pointer decremented before its allocated memory
+    is undefined. Per the recommendation of a security audit of the
+    zlib code by Trail of Bits and TrustInSoft, in support of the
+    Mozilla Foundation, this tiny optimization was removed, in order
+    to avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
+
+CVE: CVE-2016-9840
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd66..0d2670d 100644
+--- a/inftrees.c
++++ b/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+     code FAR *next;             /* next available space in table */
+     const unsigned short FAR *base;     /* base value table to use */
+     const unsigned short FAR *extra;    /* extra bits table to use */
+-    int end;                    /* use base and extra for symbol > end */
++    unsigned match;             /* use base and extra for symbol >= match */
+     unsigned short count[MAXBITS+1];    /* number of codes of each length */
+     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+     switch (type) {
+     case CODES:
+         base = extra = work;    /* dummy value--not used */
+-        end = 19;
++        match = 20;
+         break;
+     case LENS:
+         base = lbase;
+-        base -= 257;
+         extra = lext;
+-        extra -= 257;
+-        end = 256;
++        match = 257;
+         break;
+     default:            /* DISTS */
+         base = dbase;
+         extra = dext;
+-        end = -1;
++        match = 0;
+     }
+ 
+     /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+     for (;;) {
+         /* create table entry */
+         here.bits = (unsigned char)(len - drop);
+-        if ((int)(work[sym]) < end) {
++        if (work[sym] + 1 < match) {
+             here.op = (unsigned char)0;
+             here.val = work[sym];
+         }
+-        else if ((int)(work[sym]) > end) {
+-            here.op = (unsigned char)(extra[work[sym]]);
+-            here.val = base[work[sym]];
++        else if (work[sym] >= match) {
++            here.op = (unsigned char)(extra[work[sym] - match]);
++            here.val = base[work[sym] - match];
+         }
+         else {
+             here.op = (unsigned char)(32 + 64);         /* end of block */

meta/recipes-core/zlib/zlib_1.2.8.bb

@@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://remove.ldconfig.call.patch \
            file://Makefile-runtests.patch \
            file://ldflags-tests.patch \
+           file://CVE-2016-9840.patch \
            file://run-ptest \
            "