[PATCH 1/5] libsndfile1: update security patches

[PATCH 1/5] libsndfile1: update security patches

[Ross Burton]

Remove CVE-2017-14245-14246.patch, fix rejected upstream as it doesn't solve the
underlying issue.

Instead 0001-a-ulaw-fix-multiple-buffer-overflows-432 also solves CVE-2017-14245
and CVE-2017-14246 properly.

Add patches for CVE-2017-12562 and CVE-2018-19758.

Refresh CVE-2018-13139.patch.

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 ...-a-ulaw-fix-multiple-buffer-overflows-432.patch |  18 ++-
 .../libsndfile/libsndfile1/CVE-2017-12562.patch    |  96 ++++++++++++++++
 .../libsndfile1/CVE-2017-14245-14246.patch         | 121 ---------------------
 .../libsndfile/libsndfile1/CVE-2018-13139.patch    |  30 ++---
 .../libsndfile/libsndfile1/CVE-2018-19758.patch    |  34 ++++++
 .../libsndfile/libsndfile1_1.0.28.bb               |   3 +-
 6 files changed, 160 insertions(+), 142 deletions(-)
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
 delete mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
index c3f44ca235b..a4679cef2a0 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -1,3 +1,15 @@
+This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456
+CVE-2017-17457). As per
+https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also
+fixes #317 (CVE-2017-14245 CVE-2017-14246).
+
+CVE: CVE-2017-14245 CVE-2017-14246
+CVE: CVE-2017-17456 CVE-2017-17457
+CVE: CVE-2018-19661 CVE-2018-19662
+
+Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
 From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
 From: Changqing Li <changqing.li@windriver.com>
 Date: Mon, 7 Jan 2019 15:55:03 +0800
@@ -17,12 +29,6 @@ In this case, arbitrarily set the buffer value to 0.
 This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
 fixes #344 (CVE-2017-17456 and CVE-2017-17457).
 
-Upstream-Status: Backport[https://github.com/erikd/libsndfile/
-commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
-
-CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
  src/alaw.c | 9 +++++++--
  src/ulaw.c | 9 +++++++--
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
new file mode 100644
index 00000000000..491dae31148
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
@@ -0,0 +1,96 @@
+Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in
+libsndfile through 1.0.28 allows remote attackers to cause a denial of service
+(application crash) or possibly have unspecified other impact.
+
+CVE: CVE-2017-12562
+Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
+Date: Wed, 14 Jun 2017 12:25:40 +0200
+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
+ in binheader
+
+Fixes the following problems:
+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
+    big switch statement by an amount (16 bytes) which is enough for all cases
+    where only a single value gets added. Cases 's', 'S', 'p' however
+    additionally write an arbitrary length block of data and again enlarge the
+    buffer to the required amount. However, the required space calculation does
+    not take into account the size of the length field which gets output before
+    the data.
+ 3. Buffer size requirement calculation in case 'S' does not account for the
+    padding byte ("size += (size & 1) ;" happens after the calculation which
+    uses "size").
+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
+    involved
+    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
+    the buffer is only guaranteed to have "size" space available).
+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
+    beyond the space which is guaranteed to be allocated in the header buffer.
+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
+    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
+    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
+    plus optionally another 1 which is padding and not guaranteed to be
+    readable via the source string pointer).
+
+Closes: https://github.com/erikd/libsndfile/issues/292
+---
+ src/common.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index 1a6204ca..6b2a2ee9 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					/* Write a C string (guaranteed to have a zero terminator). */
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) + 1 ;
+-					size += (size & 1) ;
+ 
+-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+-						header_put_be_int (psf, size) ;
++						header_put_be_int (psf, size + (size & 1)) ;
+ 					else
+-						header_put_le_int (psf, size) ;
++						header_put_le_int (psf, size + (size & 1)) ;
+ 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
++					size += (size & 1) ;
+ 					psf->header.indx += size ;
+ 					psf->header.ptr [psf->header.indx - 1] = 0 ;
+ 					count += 4 + size ;
+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					*/
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) ;
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						header_put_be_int (psf, size) ;
+ 					else
+ 						header_put_le_int (psf, size) ;
+-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
++					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
+ 					size += (size & 1) ;
+ 					psf->header.indx += size ;
+-					psf->header.ptr [psf->header.indx] = 0 ;
+ 					count += 4 + size ;
+ 					break ;
+ 
+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					size = (size & 1) ? size : size + 1 ;
+ 					size = (size > 254) ? 254 : size ;
+ 
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ 						return count ;
+ 
+ 					header_put_byte (psf, size) ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
deleted file mode 100644
index a17ec21f986..00000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
-From: Fabian Greffrath <fabian@greffrath.com>
-Date: Wed, 27 Sep 2017 14:46:17 +0200
-Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
- normal
-
-and check elements of the data[] array for being finite.
-
-Both checks use functions provided by the <math.h> header as declared
-by the C99 standard.
-
-Fixes #317
-CVE: CVE-2017-14245
-CVE: CVE-2017-14246
-
-Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258]
-
-Signed-off-by: Fabian Greffrath <fabian@greffrath.com>
-Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
----
- programs/common.c          | 20 ++++++++++++++++----
- programs/common.h          |  2 +-
- programs/sndfile-convert.c |  6 +++++-
- 3 files changed, 22 insertions(+), 6 deletions(-)
-
-diff --git a/programs/common.c b/programs/common.c
-index a21e62c..a249a58 100644
---- a/programs/common.c
-+++ b/programs/common.c
-@@ -36,6 +36,7 @@
- #include <string.h>
- #include <ctype.h>
- #include <stdint.h>
-+#include <math.h>
- 
- #include <sndfile.h>
- 
-@@ -45,7 +46,7 @@
- 
- #define	MIN(x, y)	((x) < (y) ? (x) : (y))
- 
--void
-+int
- sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
- {	static double	data [BUFFER_LEN], max ;
- 	int		frames, readcount, k ;
-@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
- 	readcount = frames ;
- 
- 	sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
-+	if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
-+		return 1 ;
- 
- 	if (!normalize && max < 1.0)
- 	{	while (readcount > 0)
-@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
- 		while (readcount > 0)
- 		{	readcount = sf_readf_double (infile, data, frames) ;
- 			for (k = 0 ; k < readcount * channels ; k++)
--				data [k] /= max ;
-+			{	data [k] /= max ;
-+
-+				if (!isfinite (data [k])) /* infinite or NaN */
-+					return 1;
-+				}
- 			sf_writef_double (outfile, data, readcount) ;
- 			} ;
- 		} ;
- 
--	return ;
-+	return 0 ;
- } /* sfe_copy_data_fp */
- 
- void
-@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
- 
- 		/* If the input file is not the same as the output file, copy the data. */
- 		if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
--			sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
-+		{	if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
-+			{	printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
-+				error_code = 1 ;
-+				goto cleanup_exit ;
-+				} ;
-+			}
- 		else
- 			sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
- 		} ;
-diff --git a/programs/common.h b/programs/common.h
-index eda2d7d..986277e 100644
---- a/programs/common.h
-+++ b/programs/common.h
-@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
- 
- void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
- 
--void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
-+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
- 
- void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
- 
-diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
-index dff7f79..e6de593 100644
---- a/programs/sndfile-convert.c
-+++ b/programs/sndfile-convert.c
-@@ -335,7 +335,11 @@ main (int argc, char * argv [])
- 			|| (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
- 			|| (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
- 			|| (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
--		sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
-+	{	if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
-+		{	printf ("Error : Not able to decode input file %s.\n", infilename) ;
-+			return 1 ;
-+			} ;
-+		}
- 	else
- 		sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
- 
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
index 4ae3674df15..707373d4140 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
@@ -1,23 +1,25 @@
-From 5473aeef7875e54bd0f786fbdd259a35aaee875c Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Wed, 10 Oct 2018 08:59:30 +0800
-Subject: [PATCH] libsndfile1: patch for CVE-2018-13139
+CVE: CVE-2018-13139
+Upstream-Status: Backport [9dc989eb89cd697e19897afa616d6ab0debe4822]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
 
-Upstream-Status: Backport [https://github.com/bwarden/libsndfile/
-commit/df18323c622b54221ee7ace74b177cdcccc152d7]
+From 9dc989eb89cd697e19897afa616d6ab0debe4822 Mon Sep 17 00:00:00 2001
+From: "Brett T. Warden" <brett.t.warden@intel.com>
+Date: Tue, 28 Aug 2018 12:01:17 -0700
+Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave
 
-CVE: CVE-2018-13139
+Allocated buffer has space for only 16 channels. Verify that input file
+meets this limit.
 
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
+Fixes #397
 ---
- programs/sndfile-deinterleave.c | 6 ++++++
- 1 file changed, 6 insertions(+)
+ programs/sndfile-deinterleave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
 
 diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
-index e27593e..721bee7 100644
+index e27593e2..cb497e1f 100644
 --- a/programs/sndfile-deinterleave.c
 +++ b/programs/sndfile-deinterleave.c
-@@ -89,6 +89,12 @@ main (int argc, char **argv)
+@@ -89,6 +89,13 @@ main (int argc, char **argv)
  		exit (1) ;
  		} ;
  
@@ -27,9 +29,9 @@ index e27593e..721bee7 100644
 +		exit (1) ;
 +		} ;
 +
++
  	state.channels = sfinfo.channels ;
  	sfinfo.channels = 1 ;
  
 -- 
-2.7.4
-
+2.11.0
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch
new file mode 100644
index 00000000000..c3586f9dfc8
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch
@@ -0,0 +1,34 @@
+There is a heap-based buffer over-read at wav.c in wav_write_header in
+libsndfile 1.0.28 that will cause a denial of service.
+
+CVE: CVE-2018-19758
+Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Tue, 1 Jan 2019 20:11:46 +1100
+Subject: [PATCH] src/wav.c: Fix heap read overflow
+
+This is CVE-2018-19758.
+
+Closes: https://github.com/erikd/libsndfile/issues/435
+---
+ src/wav.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index e8405b55..6fb94ae8 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+ 		psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ 		psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+ 
++		/* Loop count is signed 16 bit number so we limit it range to something sensible. */
++		psf->instrument->loop_count &= 0x7fff ;
+ 		for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ 		{	int type ;
+ 
+-- 
+2.11.0
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 9700f4a6e75..eb2c719d8da 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -10,11 +10,12 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://CVE-2017-8361-8365.patch \
            file://CVE-2017-8362.patch \
            file://CVE-2017-8363.patch \
-           file://CVE-2017-14245-14246.patch \
            file://CVE-2017-14634.patch \
            file://CVE-2018-13139.patch \
            file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
            file://CVE-2018-19432.patch \
+           file://CVE-2017-12562.patch \
+           file://CVE-2018-19758.patch \
           "
 
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
-- 
2.11.0

[PATCH 2/5] icu: fix CVE-2018-18928

[Ross Burton]

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 meta/recipes-support/icu/icu/CVE-2018-18928.patch | 63 +++++++++++++++++++++++
 meta/recipes-support/icu/icu_63.1.bb              |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2018-18928.patch

diff --git a/meta/recipes-support/icu/icu/CVE-2018-18928.patch b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
new file mode 100644
index 00000000000..19c50e4e76a
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2018-18928.patch
@@ -0,0 +1,63 @@
+CVE: CVE-2018-18928
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001
+From: Shane Carr <shane@unicode.org>
+Date: Mon, 29 Oct 2018 23:52:44 -0700
+Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing.
+
+---
+ i18n/fmtable.cpp                          |  2 +-
+ i18n/number_decimalquantity.cpp           |  5 ++++-
+ test/intltest/numfmtst.cpp                |  8 ++++++++
+ 6 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp
+index 45c7024fc29..8601d95f4a6 100644
+--- a/i18n/fmtable.cpp
++++ b/i18n/fmtable.cpp
+@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) {
+       // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?).
+       if (fDecimalQuantity->isZero()) {
+         fDecimalStr->append("0", -1, status);
+-      } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) {
++      } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status);
+       } else {
+         fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status);
+diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp
+index 47b930a564b..d5dd7ae694c 100644
+--- a/i18n/number_decimalquantity.cpp
++++ b/i18n/number_decimalquantity.cpp
+@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const {
+     }
+     result.append(u'E');
+     int32_t _scale = upperPos + scale;
+-    if (_scale < 0) {
++    if (_scale == INT32_MIN) {
++        result.append({u"-2147483648", -1});
++        return result;
++    } else if (_scale < 0) {
+         _scale *= -1;
+         result.append(u'-');
+     } else {
+diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp
+index 34355939113..8d52dc122bf 100644
+--- a/test/intltest/numfmtst.cpp
++++ b/test/intltest/numfmtst.cpp
+@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() {
+     assertEquals(u"Should not overflow and should parse only the first exponent",
+                  u"1E-2147483647",
+                  {sp.data(), sp.length(), US_INV});
++
++    // Test edge case overflow of exponent
++    result = Formattable();
++    nf->parse(u".0003e-2147483644", result, status);
++    sp = result.getDecimalNumber(status);
++    assertEquals(u"Should not overflow",
++                 u"3E-2147483648",
++                 {sp.data(), sp.length(), US_INV});
+ }
+ 
+ void NumberFormatTest::Test13840_ParseLongStringCrash() {
diff --git a/meta/recipes-support/icu/icu_63.1.bb b/meta/recipes-support/icu/icu_63.1.bb
index e593dc1bdbd..961f022ad7a 100644
--- a/meta/recipes-support/icu/icu_63.1.bb
+++ b/meta/recipes-support/icu/icu_63.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \
            file://icu-pkgdata-large-cmd.patch \
            file://fix-install-manx.patch \
            file://0002-Add-ARC-support.patch \
+           file://CVE-2018-18928.patch \
            "
 
 SRC_URI_append_class-target = "\
-- 
2.11.0

[PATCH 3/5] file: upgrade to 5.36

[Ross Burton]

Upgrade to 5.36.

Drop debian-742262.patch, this appears to have been fixed properly upstream some
releases ago.

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 .../recipes-devtools/file/file/debian-742262.patch | 27 ----------------------
 .../file/{file_5.35.bb => file_5.36.bb}            |  6 ++---
 2 files changed, 2 insertions(+), 31 deletions(-)
 delete mode 100644 meta/recipes-devtools/file/file/debian-742262.patch
 rename meta/recipes-devtools/file/{file_5.35.bb => file_5.36.bb} (90%)

diff --git a/meta/recipes-devtools/file/file/debian-742262.patch b/meta/recipes-devtools/file/file/debian-742262.patch
deleted file mode 100644
index 319f9dbcf9b..00000000000
--- a/meta/recipes-devtools/file/file/debian-742262.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-The awk pattern was checked *before* the Perl pattern, so the
-perl script with BEGIN{...} would be reported as awk, this patch fixes it.
-
-Upstream-Status: Backport [debian]
-
-Signed-off-by: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-
-Rebase on 5.31
-
-Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
----
- magic/Magdir/commands | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/magic/Magdir/commands b/magic/Magdir/commands
-index f6ad1c8..f79e7dd 100644
---- a/magic/Magdir/commands
-+++ b/magic/Magdir/commands
-@@ -57,6 +57,7 @@
- 0	string/wt	#!\ /usr/bin/awk	awk script text executable
- !:mime	text/x-awk
- 0	regex/4096	=^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{]	awk or perl script text
-+!:strength - 12
- 
- # AT&T Bell Labs' Plan 9 shell
- 0	string/wt	#!\ /bin/rc	Plan 9 rc shell script text executable
diff --git a/meta/recipes-devtools/file/file_5.35.bb b/meta/recipes-devtools/file/file_5.36.bb
similarity index 90%
rename from meta/recipes-devtools/file/file_5.35.bb
rename to meta/recipes-devtools/file/file_5.36.bb
index 2f0589de686..1a81fde259d 100644
--- a/meta/recipes-devtools/file/file_5.35.bb
+++ b/meta/recipes-devtools/file/file_5.36.bb
@@ -14,11 +14,9 @@ DEPENDS_class-native = "zlib-native"
 # Blacklist a bogus tag in upstream check
 UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
 
-SRC_URI = "git://github.com/file/file.git \
-        file://debian-742262.patch \
-        "
+SRC_URI = "git://github.com/file/file.git"
 
-SRCREV = "d1ff3af7a2c6b38bdbdde7af26b59e3c50a48fff"
+SRCREV = "f3a4b9ada3ca99e62c62b9aa78eee4935a8094fe"
 S = "${WORKDIR}/git"
 
 inherit autotools update-alternatives
-- 
2.11.0

[PATCH 4/5] libarchive: integrate security fixes

[Ross Burton]

Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 .../libarchive/libarchive/CVE-2018-1000877.patch   | 38 +++++++++++
 .../libarchive/libarchive/CVE-2018-1000878.patch   | 79 ++++++++++++++++++++++
 .../libarchive/libarchive/CVE-2018-1000879.patch   | 50 ++++++++++++++
 .../libarchive/libarchive/CVE-2018-1000880.patch   | 44 ++++++++++++
 .../libarchive/libarchive/CVE-2019-1000019.patch   | 59 ++++++++++++++++
 .../libarchive/libarchive/CVE-2019-1000020.patch   | 61 +++++++++++++++++
 .../libarchive/libarchive_3.3.3.bb                 |  6 ++
 7 files changed, 337 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
new file mode 100644
index 00000000000..ce638370bd4
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
@@ -0,0 +1,38 @@
+CVE: CVE-2018-1000877
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 20 Nov 2018 17:56:29 +1100
+Subject: [PATCH] Avoid a double-free when a window size of 0 is specified
+
+new_size can be 0 with a malicious or corrupted RAR archive.
+
+realloc(area, 0) is equivalent to free(area), so the region would
+be free()d here and the free()d again in the cleanup function.
+
+Found with a setup running AFL, afl-rb, and qsym.
+---
+ libarchive/archive_read_support_format_rar.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 23452222..6f419c27 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a)
+       new_size = DICTIONARY_MAX_SIZE;
+     else
+       new_size = rar_fls((unsigned int)rar->unp_size) << 1;
++    if (new_size == 0) {
++      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                        "Zero window size is invalid.");
++      return (ARCHIVE_FATAL);
++    }
+     new_window = realloc(rar->lzss.window, new_size);
+     if (new_window == NULL) {
+       archive_set_error(&a->archive, ENOMEM,
+-- 
+2.20.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch
new file mode 100644
index 00000000000..7468fd3c935
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch
@@ -0,0 +1,79 @@
+CVE: CVE-2018-1000878
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 00:55:22 +1100
+Subject: [PATCH] rar: file split across multi-part archives must match
+
+Fuzzing uncovered some UAF and memory overrun bugs where a file in a
+single file archive reported that it was split across multiple
+volumes. This was caused by ppmd7 operations calling
+rar_br_fillup. This would invoke rar_read_ahead, which would in some
+situations invoke archive_read_format_rar_read_header.  That would
+check the new file name against the old file name, and if they didn't
+match up it would free the ppmd7 buffer and allocate a new
+one. However, because the ppmd7 decoder wasn't actually done with the
+buffer, it would continue to used the freed buffer. Both reads and
+writes to the freed region can be observed.
+
+This is quite tricky to solve: once the buffer has been freed it is
+too late, as the ppmd7 decoder functions almost universally assume
+success - there's no way for ppmd_read to signal error, nor are there
+good ways for functions like Range_Normalise to propagate them. So we
+can't detect after the fact that we're in an invalid state - e.g. by
+checking rar->cursor, we have to prevent ourselves from ever ending up
+there. So, when we are in the dangerous part or rar_read_ahead that
+assumes a valid split, we set a flag force read_header to either go
+down the path for split files or bail. This means that the ppmd7
+decoder keeps a valid buffer and just runs out of data.
+
+Found with a combination of AFL, afl-rb and qsym.
+---
+ libarchive/archive_read_support_format_rar.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 6f419c27..a8cc5c94 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -258,6 +258,7 @@ struct rar
+   struct data_block_offsets *dbo;
+   unsigned int cursor;
+   unsigned int nodes;
++  char filename_must_match;
+ 
+   /* LZSS members */
+   struct huffman_code maincode;
+@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+     }
+     return ret;
+   }
++  else if (rar->filename_must_match)
++  {
++    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++      "Mismatch of file parts split across multi-volume archive");
++    return (ARCHIVE_FATAL);
++  }
+ 
+   rar->filename_save = (char*)realloc(rar->filename_save,
+                                       filename_size + 1);
+@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail)
+     else if (*avail == 0 && rar->main_flags & MHD_VOLUME &&
+       rar->file_flags & FHD_SPLIT_AFTER)
+     {
++      rar->filename_must_match = 1;
+       ret = archive_read_format_rar_read_header(a, a->entry);
+       if (ret == (ARCHIVE_EOF))
+       {
+         rar->has_endarc_header = 1;
+         ret = archive_read_format_rar_read_header(a, a->entry);
+       }
++      rar->filename_must_match = 0;
+       if (ret != (ARCHIVE_OK))
+         return NULL;
+       return rar_read_ahead(a, min, avail);
+-- 
+2.20.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch
new file mode 100644
index 00000000000..9f25932a1ab
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch
@@ -0,0 +1,50 @@
+CVE: CVE-2018-1000879
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 14:29:42 +1100
+Subject: [PATCH] Skip 0-length ACL fields
+
+Currently, it is possible to create an archive that crashes bsdtar
+with a malformed ACL:
+
+Program received signal SIGSEGV, Segmentation fault.
+archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726
+1726				switch (*s) {
+(gdb) p n
+$1 = 1
+(gdb) p field[n]
+$2 = {start = 0x0, end = 0x0}
+
+Stop this by checking that the length is not zero before beginning
+the switch statement.
+
+I am pretty sure this is the bug mentioned in the qsym paper [1],
+and I was able to replicate it with a qsym + AFL + afl-rb setup.
+
+[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
+---
+ libarchive/archive_acl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
+index 512beee1..7beeee86 100644
+--- a/libarchive/archive_acl.c
++++ b/libarchive/archive_acl.c
+@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text,
+ 			st = field[n].start + 1;
+ 			len = field[n].end - field[n].start;
+ 
++			if (len == 0) {
++				ret = ARCHIVE_WARN;
++				continue;
++			}
++
+ 			switch (*s) {
+ 			case 'u':
+ 				if (len == 1 || (len == 4
+-- 
+2.20.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch
new file mode 100644
index 00000000000..bc264a12423
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch
@@ -0,0 +1,44 @@
+CVE: CVE-2018-1000880
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 16:33:42 +1100
+Subject: [PATCH] warc: consume data once read
+
+The warc decoder only used read ahead, it wouldn't actually consume
+data that had previously been printed. This means that if you specify
+an invalid content length, it will just reprint the same data over
+and over and over again until it hits the desired length.
+
+This means that a WARC resource with e.g.
+Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665
+but only a few hundred bytes of data, causes a quasi-infinite loop.
+
+Consume data in subsequent calls to _warc_read.
+
+Found with an AFL + afl-rb + qsym setup.
+---
+ libarchive/archive_read_support_format_warc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c
+index e8753853..e8fc8428 100644
+--- a/libarchive/archive_read_support_format_warc.c
++++ b/libarchive/archive_read_support_format_warc.c
+@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off)
+ 		return (ARCHIVE_EOF);
+ 	}
+ 
++	if (w->unconsumed) {
++		__archive_read_consume(a, w->unconsumed);
++		w->unconsumed = 0U;
++	}
++
+ 	rab = __archive_read_ahead(a, 1U, &nrd);
+ 	if (nrd < 0) {
+ 		*bsz = 0U;
+-- 
+2.20.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch
new file mode 100644
index 00000000000..f6f1add5e06
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch
@@ -0,0 +1,59 @@
+CVE: CVE-2018-1000019
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Jan 2019 16:01:40 +1100
+Subject: [PATCH 2/2] 7zip: fix crash when parsing certain archives
+
+Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
+would sometimes fail to return at least 'minimum' bytes. This can cause
+the crc32() invocation in header_bytes to read off into invalid memory.
+
+A specially crafted archive can use this to cause a crash.
+
+An ASAN trace is below, but ASAN is not required - an uninstrumented
+binary will also crash.
+
+==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
+==7719==The signal is caused by a READ memory access.
+    #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
+    #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
+    #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
+    #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
+    #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
+    #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
+    #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
+    #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
+    #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
+    #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
+    #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
+    #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
+    #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
+
+This was primarly done with afl and FairFuzz. Some early corpus entries
+may have been generated by qsym.
+---
+ libarchive/archive_read_support_format_7zip.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index bccbf8966..b6d1505d3 100644
+--- a/libarchive/archive_read_support_format_7zip.c
++++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,
+ 	if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
+ 		/* Copy mode. */
+ 
+-		/*
+-		 * Note: '1' here is a performance optimization.
+-		 * Recall that the decompression layer returns a count of
+-		 * available bytes; asking for more than that forces the
+-		 * decompressor to combine reads by copying data.
+-		 */
+-		*buff = __archive_read_ahead(a, 1, &bytes_avail);
++		*buff = __archive_read_ahead(a, minimum, &bytes_avail);
+ 		if (bytes_avail <= 0) {
+ 			archive_set_error(&a->archive,
+ 			    ARCHIVE_ERRNO_FILE_FORMAT,
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch
new file mode 100644
index 00000000000..3e639213464
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch
@@ -0,0 +1,61 @@
+CVE: CVE-2018-1000020
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 8312eaa576014cd9b965012af51bc1f967b12423 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Jan 2019 17:10:49 +1100
+Subject: [PATCH 1/2] iso9660: Fail when expected Rockridge extensions is
+ missing
+
+A corrupted or malicious ISO9660 image can cause read_CE() to loop
+forever.
+
+read_CE() calls parse_rockridge(), expecting a Rockridge extension
+to be read. However, parse_rockridge() is structured as a while
+loop starting with a sanity check, and if the sanity check fails
+before the loop has run, the function returns ARCHIVE_OK without
+advancing the position in the file. This causes read_CE() to retry
+indefinitely.
+
+Make parse_rockridge() return ARCHIVE_WARN if it didn't read an
+extension. As someone with no real knowledge of the format, this
+seems more apt than ARCHIVE_FATAL, but both the call-sites escalate
+it to a fatal error immediately anyway.
+
+Found with a combination of AFL, afl-rb (FairFuzz) and qsym.
+---
+ libarchive/archive_read_support_format_iso9660.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index 28acfefbb..bad8f1dfe 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+     const unsigned char *p, const unsigned char *end)
+ {
+ 	struct iso9660 *iso9660;
++	int entry_seen = 0;
+ 
+ 	iso9660 = (struct iso9660 *)(a->format->data);
+ 
+@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+ 		}
+ 
+ 		p += p[2];
++		entry_seen = 1;
++	}
++
++	if (entry_seen)
++		return (ARCHIVE_OK);
++	else {
++		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++				  "Tried to parse Rockridge extensions, but none found");
++		return (ARCHIVE_WARN);
+ 	}
+-	return (ARCHIVE_OK);
+ }
+ 
+ static int
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
index 46a3d437626..af5ca65297b 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
@@ -34,6 +34,12 @@ EXTRA_OECONF += "--enable-largefile"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://non-recursive-extract-and-list.patch \
            file://bug1066.patch \
+           file://CVE-2018-1000877.patch \
+           file://CVE-2018-1000878.patch \
+           file://CVE-2018-1000879.patch \
+           file://CVE-2018-1000880.patch \
+           file://CVE-2019-1000019.patch \
+           file://CVE-2019-1000020.patch \
 "
 
 SRC_URI[md5sum] = "4038e366ca5b659dae3efcc744e72120"
-- 
2.11.0

[PATCH 5/5] libpng: fix CVE-2019-7317

[Ross Burton]

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 .../libpng/libpng/CVE-2019-7317.patch                | 20 ++++++++++++++++++++
 meta/recipes-multimedia/libpng/libpng_1.6.36.bb      |  3 ++-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch

diff --git a/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch b/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch
new file mode 100644
index 00000000000..6ee1f8da303
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch
@@ -0,0 +1,20 @@
+Use-after-free detected with static analysis.
+
+CVE: CVE-2019-7317
+Upstream-Status: Submitted [https://github.com/glennrp/libpng/issues/275]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/png.c b/png.c
+index 9d9926f638..efd1aecfbd 100644
+--- a/png.c
++++ b/png.c
+@@ -4588,8 +4588,7 @@ png_image_free(png_imagep image)
+    if (image != NULL && image->opaque != NULL &&
+       image->opaque->error_buf == NULL)
+    {
+-      /* Ignore errors here: */
+-      (void)png_safe_execute(image, png_image_free_function, image);
++      png_image_free_function(image);
+       image->opaque = NULL;
+    }
+ }
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.36.bb b/meta/recipes-multimedia/libpng/libpng_1.6.36.bb
index 3cf4f7249cb..a5862378884 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.36.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.36.bb
@@ -9,7 +9,8 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+           file://CVE-2019-7317.patch"
 SRC_URI[md5sum] = "df2be2d29c40937fe1f5349b16bc2826"
 SRC_URI[sha256sum] = "eceb924c1fa6b79172fdfd008d335f0e59172a86a66481e09d4089df872aa319"
 
-- 
2.11.0