2 files changed, 624 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
new file mode 100644
index 0000000000..bdb9e9eb7a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
+From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 25 Aug 2022 17:43:08 +0200
+Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
+Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
+to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
+XML_MAX_HUGE_LENGTH (1 billion bytes).
+Move some the length checks to the end of the respective loop to make
+them strict.
+xmlParseEntityValue didn't have a length limitation at all. But without
+XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
+Thanks to Maddie Stone working with Google Project Zero for the report!
+CVE: CVE-2022-40303
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
+Comments: Refreshed hunk
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ parser.c | 233 +++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 121 insertions(+), 112 deletions(-)
+diff --git a/parser.c b/parser.c
+index 93f031be..79479979 100644
+--- a/parser.c
+++ b/parser.c
+@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
+  *                                                                     *
+  ************************************************************************/
+ 
+#define XML_MAX_HUGE_LENGTH 1000000000
+
+ #define XML_PARSER_BIG_ENTITY 1000
+ #define XML_PARSER_LOT_ENTITY 5000
+ 
+@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+             errmsg = "Malformed declaration expecting version";
+             break;
+         case XML_ERR_NAME_TOO_LONG:
+-            errmsg = "Name too long use XML_PARSE_HUGE option";
+            errmsg = "Name too long";
+             break;
+ #if 0
+         case:
+@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNameComplex++;
+@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+                 if (ctxt->instate == XML_PARSER_EOF)
+                     return(NULL);
+            }
+-           len += l;
+            if (len <= INT_MAX - l)
+               len += l;
+            NEXTL(l);
+            c = CUR_CHAR(l);
+        }
+@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+                 if (ctxt->instate == XML_PARSER_EOF)
+                     return(NULL);
+            }
+-           len += l;
+            if (len <= INT_MAX - l)
+               len += l;
+            NEXTL(l);
+            c = CUR_CHAR(l);
+        }
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
+@@ -3338,7 +3344,10 @@ const xmlChar *
+ xmlParseName(xmlParserCtxtPtr ctxt) {
+     const xmlChar *in;
+     const xmlChar *ret;
+-    int count = 0;
+    size_t count = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_TEXT_LENGTH :
+                       XML_MAX_NAME_LENGTH;
+ 
+     GROW;
+ 
+@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
+            in++;
+        if ((*in > 0) && (*in < 0x80)) {
+            count = in - ctxt->input->cur;
+-            if ((count > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+            if (count > maxLength) {
+                 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+                 return(NULL);
+             }
+@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+     size_t startPosition = 0;
+ 
+ #ifdef DEBUG
+@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+     while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
+           (xmlIsNameChar(ctxt, c) && (c != ':'))) {
+        if (count++ > XML_PARSER_CHUNK_SIZE) {
+-            if ((len > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+-                return(NULL);
+-            }
+            count = 0;
+            GROW;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+        }
+-       len += l;
+        if (len <= INT_MAX - l)
+           len += l;
+        NEXTL(l);
+        c = CUR_CHAR(l);
+        if (c == 0) {
+@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+            c = CUR_CHAR(l);
+        }
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+@@ -3459,7 +3465,10 @@ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+     const xmlChar *in, *e;
+     const xmlChar *ret;
+-    int count = 0;
+    size_t count = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_TEXT_LENGTH :
+                       XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNCName++;
+@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+            goto complex;
+        if ((*in > 0) && (*in < 0x80)) {
+            count = in - ctxt->input->cur;
+-            if ((count > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+            if (count > maxLength) {
+                 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+                 return(NULL);
+             }
+@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+     const xmlChar *cur = *str;
+     int len = 0, l;
+     int c;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseStringName++;
+@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+                if (len + 10 > max) {
+                    xmlChar *tmp;
+ 
+-                    if ((len > XML_MAX_NAME_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+-                       xmlFree(buffer);
+-                        return(NULL);
+-                    }
+                    max *= 2;
+                    tmp = (xmlChar *) xmlRealloc(buffer,
+                                                    max * sizeof(xmlChar));
+@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+                COPY_BUF(l,buffer,len,c);
+                cur += l;
+                c = CUR_SCHAR(cur, l);
+                if (len > maxLength) {
+                    xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+                    xmlFree(buffer);
+                    return(NULL);
+                }
+            }
+            buffer[len] = 0;
+            *str = cur;
+            return(buffer);
+        }
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNmToken++;
+@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+                if (len + 10 > max) {
+                    xmlChar *tmp;
+ 
+-                    if ((max > XML_MAX_NAME_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+-                        xmlFree(buffer);
+-                        return(NULL);
+-                    }
+                    max *= 2;
+                    tmp = (xmlChar *) xmlRealloc(buffer,
+                                                    max * sizeof(xmlChar));
+@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+                COPY_BUF(l,buffer,len,c);
+                NEXTL(l);
+                c = CUR_CHAR(l);
+                if (len > maxLength) {
+                    xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+                    xmlFree(buffer);
+                    return(NULL);
+                }
+            }
+            buffer[len] = 0;
+            return(buffer);
+@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+     }
+     if (len == 0)
+         return(NULL);
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+         return(NULL);
+     }
+@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+     int c, l;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_HUGE_LENGTH :
+                    XML_MAX_TEXT_LENGTH;
+     xmlChar stop;
+     xmlChar *ret = NULL;
+     const xmlChar *cur = NULL;
+@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+            GROW;
+            c = CUR_CHAR(l);
+        }
+
+        if (len > maxLength) {
+            xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+                           "entity value too long\n");
+            goto error;
+        }
+     }
+     buf[len] = 0;
+     if (ctxt->instate == XML_PARSER_EOF)
+@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     xmlChar *rep = NULL;
+     size_t len = 0;
+     size_t buf_size = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     int c, l, in_space = 0;
+     xmlChar *current = NULL;
+     xmlEntityPtr ent;
+@@ -3925,16 +3925,6 @@
+     while (((NXT(0) != limit) && /* checked */
+             (IS_CHAR(c)) && (c != '<')) &&
+             (ctxt->instate != XML_PARSER_EOF)) {
+-        /*
+-         * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
+-         * special option is given
+-         */
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-            xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+-                           "AttValue length too long\n");
+-            goto mem_error;
+-        }
+        if (c == 0) break;
+        if (c == '&') {
+            in_space = 0;
+@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+        }
+        GROW;
+        c = CUR_CHAR(l);
+        if (len > maxLength) {
+            xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                           "AttValue length too long\n");
+            goto mem_error;
+        }
+     }
+     if (ctxt->instate == XML_PARSER_EOF)
+         goto error;
+@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     } else
+        NEXT;
+ 
+-    /*
+-     * There we potentially risk an overflow, don't allow attribute value of
+-     * length more than INT_MAX it is a very reasonable assumption !
+-     */
+-    if (len >= INT_MAX) {
+-        xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+-                       "AttValue length too long\n");
+-        goto mem_error;
+-    }
+-
+     if (attlen != NULL) *attlen = (int) len;
+     return(buf);
+ 
+@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+     int cur, l;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+     xmlChar stop;
+     int state = ctxt->instate;
+     int count = 0;
+@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+        if (len + 5 >= size) {
+            xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
+-                xmlFree(buf);
+-               ctxt->instate = (xmlParserInputState) state;
+-                return(NULL);
+-            }
+            size *= 2;
+            tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+            if (tmp == NULL) {
+@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+            SHRINK;
+            cur = CUR_CHAR(l);
+        }
+        if (len > maxLength) {
+            xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
+            xmlFree(buf);
+            ctxt->instate = (xmlParserInputState) state;
+            return(NULL);
+        }
+     }
+     buf[len] = 0;
+     ctxt->instate = (xmlParserInputState) state;
+@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+     xmlChar cur;
+     xmlChar stop;
+     int count = 0;
+@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+        if (len + 1 >= size) {
+            xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
+-                xmlFree(buf);
+-                return(NULL);
+-            }
+            size *= 2;
+            tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+            if (tmp == NULL) {
+@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+            SHRINK;
+            cur = CUR;
+        }
+        if (len > maxLength) {
+            xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
+            xmlFree(buf);
+            return(NULL);
+        }
+     }
+     buf[len] = 0;
+     if (cur != stop) {
+@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+     int r, rl;
+     int cur, l;
+     size_t count = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     int inputid;
+ 
+     inputid = ctxt->input->id;
+@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+        if ((r == '-') && (q == '-')) {
+            xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
+        }
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-            xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-                         "Comment too big found", NULL);
+-            xmlFree (buf);
+-            return;
+-        }
+        if (len + 5 >= size) {
+            xmlChar *new_buf;
+             size_t new_size;
+@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+            GROW;
+            cur = CUR_CHAR(l);
+        }
+
+        if (len > maxLength) {
+            xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+                         "Comment too big found", NULL);
+            xmlFree (buf);
+            return;
+        }
+     }
+     buf[len] = 0;
+     if (cur == 0) {
+@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     size_t size = XML_PARSER_BUFFER_SIZE;
+     size_t len = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     xmlParserInputState state;
+     const xmlChar *in;
+     size_t nbchar = 0;
+@@ -4958,8 +4975,7 @@ get_more:
+                buf[len] = 0;
+            }
+        }
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+        if (len > maxLength) {
+             xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+                          "Comment too big found", NULL);
+             xmlFree (buf);
+@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     size_t len = 0;
+     size_t size = XML_PARSER_BUFFER_SIZE;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     int cur, l;
+     const xmlChar *target;
+     xmlParserInputState state;
+@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+                         return;
+                     }
+                    count = 0;
+-                    if ((len > XML_MAX_TEXT_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+-                                          "PI %s too big found", target);
+-                        xmlFree(buf);
+-                        ctxt->instate = state;
+-                        return;
+-                    }
+                }
+                COPY_BUF(l,buf,len,cur);
+                NEXTL(l);
+@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+                    GROW;
+                    cur = CUR_CHAR(l);
+                }
+                if (len > maxLength) {
+                    xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+                                      "PI %s too big found", target);
+                    xmlFree(buf);
+                    ctxt->instate = state;
+                    return;
+                }
+            }
+-            if ((len > XML_MAX_TEXT_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+-                                  "PI %s too big found", target);
+-                xmlFree(buf);
+-                ctxt->instate = state;
+-                return;
+-            }
+            buf[len] = 0;
+            if (cur != '?') {
+                xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     const xmlChar *in = NULL, *start, *end, *last;
+     xmlChar *ret = NULL;
+     int line, col;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_HUGE_LENGTH :
+                    XML_MAX_TEXT_LENGTH;
+ 
+     GROW;
+     in = (xmlChar *) CUR_PTR;
+@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            start = in;
+            if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            if ((*in++ == 0x20) && (*in == 0x20)) break;
+            if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+                    last = last + delta;
+                }
+                end = ctxt->input->end;
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+                 }
+            }
+        }
+-        if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+        if ((in - start) > maxLength) {
+             xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                            "AttValue length too long\n");
+             return(NULL);
+@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            col++;
+            if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            }
+        }
+        last = in;
+-        if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+        if ((in - start) > maxLength) {
+             xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                            "AttValue length too long\n");
+             return(NULL);
+@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+     int        s, sl;
+     int cur, l;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_HUGE_LENGTH :
+                    XML_MAX_TEXT_LENGTH;
+ 
+     /* Check 2.6.0 was NXT(0) not RAW */
+     if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
+@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+        if (len + 5 >= size) {
+            xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_TEXT_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
+-                             "CData section too big found", NULL);
+-                xmlFree (buf);
+-                return;
+-            }
+            tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
+            if (tmp == NULL) {
+                xmlFree(buf);
+@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+        }
+        NEXTL(l);
+        cur = CUR_CHAR(l);
+        if (len > maxLength) {
+            xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
+                           "CData section too big found\n");
+            xmlFree(buf);
+            return;
+        }
+     }
+     buf[len] = 0;
+     ctxt->instate = XML_PARSER_CONTENT;
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index dc62991739..39036f2688 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
           file://CVE-2022-29824.patch \
           file://0001-Port-gentest.py-to-Python-3.patch \
           file://CVE-2016-3709.patch \
+           file://CVE-2022-40303.patch \
           "
 SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 0000000000..bdb9e9eb7a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
		1	From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Thu, 25 Aug 2022 17:43:08 +0200
		4	Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
		5
		6	Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
		7	to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
		8	XML_MAX_HUGE_LENGTH (1 billion bytes).
		9
		10	Move some the length checks to the end of the respective loop to make
		11	them strict.
		12
		13	xmlParseEntityValue didn't have a length limitation at all. But without
		14	XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
		15
		16	Thanks to Maddie Stone working with Google Project Zero for the report!
		17
		18	CVE: CVE-2022-40303
		19	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
		20	Comments: Refreshed hunk
		21
		22	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
		23	---
		24	parser.c \| 233 +++++++++++++++++++++++++++++--------------------------
		25	1 file changed, 121 insertions(+), 112 deletions(-)
		26
		27	diff --git a/parser.c b/parser.c
		28	index 93f031be..79479979 100644
		29	--- a/parser.c
		30	+++ b/parser.c
		31	@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
		32	* *
		33	************************************************************************/
		34
		35	+#define XML_MAX_HUGE_LENGTH 1000000000
		36	+
		37	#define XML_PARSER_BIG_ENTITY 1000
		38	#define XML_PARSER_LOT_ENTITY 5000
		39
		40	@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
		41	errmsg = "Malformed declaration expecting version";
		42	break;
		43	case XML_ERR_NAME_TOO_LONG:
		44	- errmsg = "Name too long use XML_PARSE_HUGE option";
		45	+ errmsg = "Name too long";
		46	break;
		47	#if 0
		48	case:
		49	@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
		50	int len = 0, l;
		51	int c;
		52	int count = 0;
		53	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		54	+ XML_MAX_TEXT_LENGTH :
		55	+ XML_MAX_NAME_LENGTH;
		56
		57	#ifdef DEBUG
		58	nbParseNameComplex++;
		59	@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
		60	if (ctxt->instate == XML_PARSER_EOF)
		61	return(NULL);
		62	}
		63	- len += l;
		64	+ if (len <= INT_MAX - l)
		65	+ len += l;
		66	NEXTL(l);
		67	c = CUR_CHAR(l);
		68	}
		69	@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
		70	if (ctxt->instate == XML_PARSER_EOF)
		71	return(NULL);
		72	}
		73	- len += l;
		74	+ if (len <= INT_MAX - l)
		75	+ len += l;
		76	NEXTL(l);
		77	c = CUR_CHAR(l);
		78	}
		79	}
		80	- if ((len > XML_MAX_NAME_LENGTH) &&
		81	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		82	+ if (len > maxLength) {
		83	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
		84	return(NULL);
		85	}
		86	@@ -3338,7 +3344,10 @@ const xmlChar *
		87	xmlParseName(xmlParserCtxtPtr ctxt) {
		88	const xmlChar *in;
		89	const xmlChar *ret;
		90	- int count = 0;
		91	+ size_t count = 0;
		92	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		93	+ XML_MAX_TEXT_LENGTH :
		94	+ XML_MAX_NAME_LENGTH;
		95
		96	GROW;
		97
		98	@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
		99	in++;
		100	if ((in > 0) && (in < 0x80)) {
		101	count = in - ctxt->input->cur;
		102	- if ((count > XML_MAX_NAME_LENGTH) &&
		103	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		104	+ if (count > maxLength) {
		105	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
		106	return(NULL);
		107	}
		108	@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
		109	int len = 0, l;
		110	int c;
		111	int count = 0;
		112	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		113	+ XML_MAX_TEXT_LENGTH :
		114	+ XML_MAX_NAME_LENGTH;
		115	size_t startPosition = 0;
		116
		117	#ifdef DEBUG
		118	@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
		119	while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
		120	(xmlIsNameChar(ctxt, c) && (c != ':'))) {
		121	if (count++ > XML_PARSER_CHUNK_SIZE) {
		122	- if ((len > XML_MAX_NAME_LENGTH) &&
		123	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		124	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
		125	- return(NULL);
		126	- }
		127	count = 0;
		128	GROW;
		129	if (ctxt->instate == XML_PARSER_EOF)
		130	return(NULL);
		131	}
		132	- len += l;
		133	+ if (len <= INT_MAX - l)
		134	+ len += l;
		135	NEXTL(l);
		136	c = CUR_CHAR(l);
		137	if (c == 0) {
		138	@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
		139	c = CUR_CHAR(l);
		140	}
		141	}
		142	- if ((len > XML_MAX_NAME_LENGTH) &&
		143	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		144	+ if (len > maxLength) {
		145	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
		146	return(NULL);
		147	}
		148	@@ -3459,7 +3465,10 @@ static const xmlChar *
		149	xmlParseNCName(xmlParserCtxtPtr ctxt) {
		150	const xmlChar in, e;
		151	const xmlChar *ret;
		152	- int count = 0;
		153	+ size_t count = 0;
		154	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		155	+ XML_MAX_TEXT_LENGTH :
		156	+ XML_MAX_NAME_LENGTH;
		157
		158	#ifdef DEBUG
		159	nbParseNCName++;
		160	@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
		161	goto complex;
		162	if ((in > 0) && (in < 0x80)) {
		163	count = in - ctxt->input->cur;
		164	- if ((count > XML_MAX_NAME_LENGTH) &&
		165	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		166	+ if (count > maxLength) {
		167	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
		168	return(NULL);
		169	}
		170	@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
		171	const xmlChar cur = str;
		172	int len = 0, l;
		173	int c;
		174	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		175	+ XML_MAX_TEXT_LENGTH :
		176	+ XML_MAX_NAME_LENGTH;
		177
		178	#ifdef DEBUG
		179	nbParseStringName++;
		180	@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
		181	if (len + 10 > max) {
		182	xmlChar *tmp;
		183
		184	- if ((len > XML_MAX_NAME_LENGTH) &&
		185	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		186	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
		187	- xmlFree(buffer);
		188	- return(NULL);
		189	- }
		190	max *= 2;
		191	tmp = (xmlChar *) xmlRealloc(buffer,
		192	max * sizeof(xmlChar));
		193	@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
		194	COPY_BUF(l,buffer,len,c);
		195	cur += l;
		196	c = CUR_SCHAR(cur, l);
		197	+ if (len > maxLength) {
		198	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
		199	+ xmlFree(buffer);
		200	+ return(NULL);
		201	+ }
		202	}
		203	buffer[len] = 0;
		204	*str = cur;
		205	return(buffer);
		206	}
		207	}
		208	- if ((len > XML_MAX_NAME_LENGTH) &&
		209	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		210	+ if (len > maxLength) {
		211	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
		212	return(NULL);
		213	}
		214	@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
		215	int len = 0, l;
		216	int c;
		217	int count = 0;
		218	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		219	+ XML_MAX_TEXT_LENGTH :
		220	+ XML_MAX_NAME_LENGTH;
		221
		222	#ifdef DEBUG
		223	nbParseNmToken++;
		224	@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
		225	if (len + 10 > max) {
		226	xmlChar *tmp;
		227
		228	- if ((max > XML_MAX_NAME_LENGTH) &&
		229	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		230	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
		231	- xmlFree(buffer);
		232	- return(NULL);
		233	- }
		234	max *= 2;
		235	tmp = (xmlChar *) xmlRealloc(buffer,
		236	max * sizeof(xmlChar));
		237	@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
		238	COPY_BUF(l,buffer,len,c);
		239	NEXTL(l);
		240	c = CUR_CHAR(l);
		241	+ if (len > maxLength) {
		242	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
		243	+ xmlFree(buffer);
		244	+ return(NULL);
		245	+ }
		246	}
		247	buffer[len] = 0;
		248	return(buffer);
		249	@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
		250	}
		251	if (len == 0)
		252	return(NULL);
		253	- if ((len > XML_MAX_NAME_LENGTH) &&
		254	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		255	+ if (len > maxLength) {
		256	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
		257	return(NULL);
		258	}
		259	@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
		260	int len = 0;
		261	int size = XML_PARSER_BUFFER_SIZE;
		262	int c, l;
		263	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		264	+ XML_MAX_HUGE_LENGTH :
		265	+ XML_MAX_TEXT_LENGTH;
		266	xmlChar stop;
		267	xmlChar *ret = NULL;
		268	const xmlChar *cur = NULL;
		269	@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
		270	GROW;
		271	c = CUR_CHAR(l);
		272	}
		273	+
		274	+ if (len > maxLength) {
		275	+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
		276	+ "entity value too long\n");
		277	+ goto error;
		278	+ }
		279	}
		280	buf[len] = 0;
		281	if (ctxt->instate == XML_PARSER_EOF)
		282	@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
		283	xmlChar *rep = NULL;
		284	size_t len = 0;
		285	size_t buf_size = 0;
		286	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		287	+ XML_MAX_HUGE_LENGTH :
		288	+ XML_MAX_TEXT_LENGTH;
		289	int c, l, in_space = 0;
		290	xmlChar *current = NULL;
		291	xmlEntityPtr ent;
		292	@@ -3925,16 +3925,6 @@
		293	while (((NXT(0) != limit) && /* checked */
		294	(IS_CHAR(c)) && (c != '<')) &&
		295	(ctxt->instate != XML_PARSER_EOF)) {
		296	- /*
		297	- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
		298	- * special option is given
		299	- */
		300	- if ((len > XML_MAX_TEXT_LENGTH) &&
		301	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		302	- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		303	- "AttValue length too long\n");
		304	- goto mem_error;
		305	- }
		306	if (c == 0) break;
		307	if (c == '&') {
		308	in_space = 0;
		309	@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
		310	}
		311	GROW;
		312	c = CUR_CHAR(l);
		313	+ if (len > maxLength) {
		314	+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		315	+ "AttValue length too long\n");
		316	+ goto mem_error;
		317	+ }
		318	}
		319	if (ctxt->instate == XML_PARSER_EOF)
		320	goto error;
		321	@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
		322	} else
		323	NEXT;
		324
		325	- /*
		326	- * There we potentially risk an overflow, don't allow attribute value of
		327	- * length more than INT_MAX it is a very reasonable assumption !
		328	- */
		329	- if (len >= INT_MAX) {
		330	- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		331	- "AttValue length too long\n");
		332	- goto mem_error;
		333	- }
		334	-
		335	if (attlen != NULL) *attlen = (int) len;
		336	return(buf);
		337
		338	@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
		339	int len = 0;
		340	int size = XML_PARSER_BUFFER_SIZE;
		341	int cur, l;
		342	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		343	+ XML_MAX_TEXT_LENGTH :
		344	+ XML_MAX_NAME_LENGTH;
		345	xmlChar stop;
		346	int state = ctxt->instate;
		347	int count = 0;
		348	@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
		349	if (len + 5 >= size) {
		350	xmlChar *tmp;
		351
		352	- if ((size > XML_MAX_NAME_LENGTH) &&
		353	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		354	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
		355	- xmlFree(buf);
		356	- ctxt->instate = (xmlParserInputState) state;
		357	- return(NULL);
		358	- }
		359	size *= 2;
		360	tmp = (xmlChar ) xmlRealloc(buf, size sizeof(xmlChar));
		361	if (tmp == NULL) {
		362	@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
		363	SHRINK;
		364	cur = CUR_CHAR(l);
		365	}
		366	+ if (len > maxLength) {
		367	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
		368	+ xmlFree(buf);
		369	+ ctxt->instate = (xmlParserInputState) state;
		370	+ return(NULL);
		371	+ }
		372	}
		373	buf[len] = 0;
		374	ctxt->instate = (xmlParserInputState) state;
		375	@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
		376	xmlChar *buf = NULL;
		377	int len = 0;
		378	int size = XML_PARSER_BUFFER_SIZE;
		379	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		380	+ XML_MAX_TEXT_LENGTH :
		381	+ XML_MAX_NAME_LENGTH;
		382	xmlChar cur;
		383	xmlChar stop;
		384	int count = 0;
		385	@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
		386	if (len + 1 >= size) {
		387	xmlChar *tmp;
		388
		389	- if ((size > XML_MAX_NAME_LENGTH) &&
		390	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		391	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
		392	- xmlFree(buf);
		393	- return(NULL);
		394	- }
		395	size *= 2;
		396	tmp = (xmlChar ) xmlRealloc(buf, size sizeof(xmlChar));
		397	if (tmp == NULL) {
		398	@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
		399	SHRINK;
		400	cur = CUR;
		401	}
		402	+ if (len > maxLength) {
		403	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
		404	+ xmlFree(buf);
		405	+ return(NULL);
		406	+ }
		407	}
		408	buf[len] = 0;
		409	if (cur != stop) {
		410	@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
		411	int r, rl;
		412	int cur, l;
		413	size_t count = 0;
		414	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		415	+ XML_MAX_HUGE_LENGTH :
		416	+ XML_MAX_TEXT_LENGTH;
		417	int inputid;
		418
		419	inputid = ctxt->input->id;
		420	@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
		421	if ((r == '-') && (q == '-')) {
		422	xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
		423	}
		424	- if ((len > XML_MAX_TEXT_LENGTH) &&
		425	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		426	- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
		427	- "Comment too big found", NULL);
		428	- xmlFree (buf);
		429	- return;
		430	- }
		431	if (len + 5 >= size) {
		432	xmlChar *new_buf;
		433	size_t new_size;
		434	@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
		435	GROW;
		436	cur = CUR_CHAR(l);
		437	}
		438	+
		439	+ if (len > maxLength) {
		440	+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
		441	+ "Comment too big found", NULL);
		442	+ xmlFree (buf);
		443	+ return;
		444	+ }
		445	}
		446	buf[len] = 0;
		447	if (cur == 0) {
		448	@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
		449	xmlChar *buf = NULL;
		450	size_t size = XML_PARSER_BUFFER_SIZE;
		451	size_t len = 0;
		452	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		453	+ XML_MAX_HUGE_LENGTH :
		454	+ XML_MAX_TEXT_LENGTH;
		455	xmlParserInputState state;
		456	const xmlChar *in;
		457	size_t nbchar = 0;
		458	@@ -4958,8 +4975,7 @@ get_more:
		459	buf[len] = 0;
		460	}
		461	}
		462	- if ((len > XML_MAX_TEXT_LENGTH) &&
		463	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		464	+ if (len > maxLength) {
		465	xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
		466	"Comment too big found", NULL);
		467	xmlFree (buf);
		468	@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
		469	xmlChar *buf = NULL;
		470	size_t len = 0;
		471	size_t size = XML_PARSER_BUFFER_SIZE;
		472	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		473	+ XML_MAX_HUGE_LENGTH :
		474	+ XML_MAX_TEXT_LENGTH;
		475	int cur, l;
		476	const xmlChar *target;
		477	xmlParserInputState state;
		478	@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
		479	return;
		480	}
		481	count = 0;
		482	- if ((len > XML_MAX_TEXT_LENGTH) &&
		483	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		484	- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
		485	- "PI %s too big found", target);
		486	- xmlFree(buf);
		487	- ctxt->instate = state;
		488	- return;
		489	- }
		490	}
		491	COPY_BUF(l,buf,len,cur);
		492	NEXTL(l);
		493	@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
		494	GROW;
		495	cur = CUR_CHAR(l);
		496	}
		497	+ if (len > maxLength) {
		498	+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
		499	+ "PI %s too big found", target);
		500	+ xmlFree(buf);
		501	+ ctxt->instate = state;
		502	+ return;
		503	+ }
		504	}
		505	- if ((len > XML_MAX_TEXT_LENGTH) &&
		506	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		507	- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
		508	- "PI %s too big found", target);
		509	- xmlFree(buf);
		510	- ctxt->instate = state;
		511	- return;
		512	- }
		513	buf[len] = 0;
		514	if (cur != '?') {
		515	xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
		516	@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
		517	const xmlChar in = NULL, start, end, last;
		518	xmlChar *ret = NULL;
		519	int line, col;
		520	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		521	+ XML_MAX_HUGE_LENGTH :
		522	+ XML_MAX_TEXT_LENGTH;
		523
		524	GROW;
		525	in = (xmlChar *) CUR_PTR;
		526	@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
		527	start = in;
		528	if (in >= end) {
		529	GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
		530	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
		531	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		532	+ if ((in - start) > maxLength) {
		533	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		534	"AttValue length too long\n");
		535	return(NULL);
		536	@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
		537	if ((in++ == 0x20) && (in == 0x20)) break;
		538	if (in >= end) {
		539	GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
		540	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
		541	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		542	+ if ((in - start) > maxLength) {
		543	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		544	"AttValue length too long\n");
		545	return(NULL);
		546	@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
		547	last = last + delta;
		548	}
		549	end = ctxt->input->end;
		550	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
		551	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		552	+ if ((in - start) > maxLength) {
		553	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		554	"AttValue length too long\n");
		555	return(NULL);
		556	}
		557	}
		558	}
		559	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
		560	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		561	+ if ((in - start) > maxLength) {
		562	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		563	"AttValue length too long\n");
		564	return(NULL);
		565	@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
		566	col++;
		567	if (in >= end) {
		568	GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
		569	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
		570	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		571	+ if ((in - start) > maxLength) {
		572	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		573	"AttValue length too long\n");
		574	return(NULL);
		575	@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
		576	}
		577	}
		578	last = in;
		579	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
		580	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		581	+ if ((in - start) > maxLength) {
		582	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
		583	"AttValue length too long\n");
		584	return(NULL);
		585	@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
		586	int s, sl;
		587	int cur, l;
		588	int count = 0;
		589	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
		590	+ XML_MAX_HUGE_LENGTH :
		591	+ XML_MAX_TEXT_LENGTH;
		592
		593	/* Check 2.6.0 was NXT(0) not RAW */
		594	if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
		595	@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
		596	if (len + 5 >= size) {
		597	xmlChar *tmp;
		598
		599	- if ((size > XML_MAX_TEXT_LENGTH) &&
		600	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
		601	- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
		602	- "CData section too big found", NULL);
		603	- xmlFree (buf);
		604	- return;
		605	- }
		606	tmp = (xmlChar ) xmlRealloc(buf, size 2 * sizeof(xmlChar));
		607	if (tmp == NULL) {
		608	xmlFree(buf);
		609	@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
		610	}
		611	NEXTL(l);
		612	cur = CUR_CHAR(l);
		613	+ if (len > maxLength) {
		614	+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
		615	+ "CData section too big found\n");
		616	+ xmlFree(buf);
		617	+ return;
		618	+ }
		619	}
		620	buf[len] = 0;
		621	ctxt->instate = XML_PARSER_CONTENT;
		622	--
		623	GitLab


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index dc62991739..39036f2688 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
34	file://CVE-2022-29824.patch \	34	file://CVE-2022-29824.patch \
35	file://0001-Port-gentest.py-to-Python-3.patch \	35	file://0001-Port-gentest.py-to-Python-3.patch \
36	file://CVE-2016-3709.patch \	36	file://CVE-2016-3709.patch \
		37	file://CVE-2022-40303.patch \
37	"	38	"
38		39
39	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"	40	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"