From 56f6f5585de70819fa493d0d803f60799d02fa5c Mon Sep 17 00:00:00 2001
From: Andrej Valek <andrej.valek@siemens.com>
Date: Mon, 12 Dec 2016 12:46:21 +0100
Subject: libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)

If there is an invalid URL in URLS->buf after a valid one, uri_parse is
called with out pointing after the allocated memory. As uri_parse writes
to *out before returning an error the loop in create_url_list must be
stopped early to prevent an out-of-bound access

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
(cherry picked from commit b4659368a01a5b4209d9e1e571bb569ef4a06195)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb')

diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
index 133a8ebd53..71fc70dd19 100644
--- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863"
 SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
            file://avoid-redefining-strnlen-and-strndup.patch \
            file://sepbuildfix.patch \
+           file://CVE-2016-8863.patch \
 "
 
 SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"
-- 
cgit 1.2.3-korg