import-layers/yocto-poky/meta/recipes-core/libxml/libxml2/libxml2-CVE-2017-5969.patch - openbmc/openbmc - Gitiles

 libxml2-2.9.4: Fix CVE-2017-5969

 [No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422

 valid: Fix NULL pointer deref in xmlDumpElementContent

 Can only be triggered in recovery mode.

 Fixes bug 758422

 Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
 CVE: CVE-2017-5969
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>

 diff --git a/valid.c b/valid.c
 index 19f84b8..0a8e58a 100644
 --- a/valid.c
 +++ b/valid.c
 @@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
  	    xmlBufferWriteCHAR(buf, content->name);
  	    break;
  	case XML_ELEMENT_CONTENT_SEQ:
 -	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
 -	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
 +	    if ((content->c1 != NULL) &&
 +	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
 +	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
  		xmlDumpElementContent(buf, content->c1, 1);
  	    else
  		xmlDumpElementContent(buf, content->c1, 0);
              xmlBufferWriteChar(buf, " , ");
 -	    if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
 -	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
 -		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
 +	    if ((content->c2 != NULL) &&
 +	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
 +	         ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
 +		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
  		xmlDumpElementContent(buf, content->c2, 1);
  	    else
  		xmlDumpElementContent(buf, content->c2, 0);
  	    break;
  	case XML_ELEMENT_CONTENT_OR:
 -	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
 -	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
 +	    if ((content->c1 != NULL) &&
 +	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
 +	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
  		xmlDumpElementContent(buf, content->c1, 1);
  	    else
  		xmlDumpElementContent(buf, content->c1, 0);
              xmlBufferWriteChar(buf, " | ");
 -	    if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
 -	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
 -		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
 +	    if ((content->c2 != NULL) &&
 +	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
 +	         ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
 +		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
  		xmlDumpElementContent(buf, content->c2, 1);
  	    else
  		xmlDumpElementContent(buf, content->c2, 0);
	libxml2-2.9.4: Fix CVE-2017-5969

	[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422

	valid: Fix NULL pointer deref in xmlDumpElementContent

	Can only be triggered in recovery mode.

	Fixes bug 758422

	Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
	CVE: CVE-2017-5969
	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>

	diff --git a/valid.c b/valid.c
	index 19f84b8..0a8e58a 100644
	--- a/valid.c
	+++ b/valid.c
	@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
	xmlBufferWriteCHAR(buf, content->name);
	break;
	case XML_ELEMENT_CONTENT_SEQ:
	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
	+ if ((content->c1 != NULL) &&
	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
	xmlDumpElementContent(buf, content->c1, 1);
	else
	xmlDumpElementContent(buf, content->c1, 0);
	xmlBufferWriteChar(buf, " , ");
	- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
	- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
	+ if ((content->c2 != NULL) &&
	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
	xmlDumpElementContent(buf, content->c2, 1);
	else
	xmlDumpElementContent(buf, content->c2, 0);
	break;
	case XML_ELEMENT_CONTENT_OR:
	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
	+ if ((content->c1 != NULL) &&
	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
	xmlDumpElementContent(buf, content->c1, 1);
	else
	xmlDumpElementContent(buf, content->c1, 0);
	xmlBufferWriteChar(buf, " \| ");
	- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
	- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
	+ if ((content->c2 != NULL) &&
	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
	xmlDumpElementContent(buf, content->c2, 1);
	else
	xmlDumpElementContent(buf, content->c2, 0);