From 90e67115f46b0cb75bd8d14edbaf76df8e649fb6 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Thu, 13 May 2021 15:02:20 +0100
Subject: [PATCH] Fix CVE-2021-3517 (#1957002)

Resolves: #1957002
Resolves: CVE-2021-3517
---
 libxml2-2.9.10-CVE-2021-3517.patch | 49 ++++++++++++++++++++++++++++++
 libxml2.spec                       |  3 ++
 2 files changed, 52 insertions(+)
 create mode 100644 libxml2-2.9.10-CVE-2021-3517.patch

diff --git a/libxml2-2.9.10-CVE-2021-3517.patch b/libxml2-2.9.10-CVE-2021-3517.patch
new file mode 100644
index 0000000..e3ef736
--- /dev/null
+++ b/libxml2-2.9.10-CVE-2021-3517.patch
@@ -0,0 +1,49 @@
+From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56..1a8f86f0 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ 	    } else {
+ 		/*
+ 		 * We assume we have UTF-8 input.
++		 * It must match either:
++		 *   110xxxxx 10xxxxxx
++		 *   1110xxxx 10xxxxxx 10xxxxxx
++		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++		 * That is:
++		 *   cur[0] is 11xxxxxx
++		 *   cur[1] is 10xxxxxx
++		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++		 *   cur[0] is not 11111xxx
+ 		 */
+ 		char buf[11], *ptr;
+ 		int val = 0, l = 1;
+ 
+-		if (*cur < 0xC0) {
++		if (((cur[0] & 0xC0) != 0xC0) ||
++		    ((cur[1] & 0xC0) != 0x80) ||
++		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF8) == 0xF8))) {
+ 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ 			    "xmlEncodeEntities: input not UTF-8");
+ 		    if (doc != NULL)
+-- 
+GitLab
+
diff --git a/libxml2.spec b/libxml2.spec
index 0c5120f..5fbfc21 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -24,6 +24,8 @@ Patch7:         libxml2-2.9.10-CVE-2020-24977.patch
 Patch8:         python-py_ssize_t.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1956969
 Patch9:         libxml2-2.9.10-CVE-2021-3516.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1957002
+Patch10:        libxml2-2.9.10-CVE-2021-3517.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -157,6 +159,7 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %changelog
 * Thu May 13 2021 David King <dking@redhat.com> - 2.9.10-12
 - Fix CVE-2021-3516 (#1956969)
+- Fix CVE-2021-3517 (#1957002)
 
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.10-11
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937