From 8087281ffff26fb4651c0d67681454a54bf24aad Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Wed, 27 May 2026 14:35:00 +0200
Subject: [PATCH] Fix integer overflow and OOM in LYB parser string/value
 reading

Resolves: RHEL-177018
---
 RHEL-177019.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++++
 libyang.spec      |  9 ++++++++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 RHEL-177019.patch

diff --git a/RHEL-177019.patch b/RHEL-177019.patch
new file mode 100644
index 0000000..9326e8a
--- /dev/null
+++ b/RHEL-177019.patch
@@ -0,0 +1,51 @@
+From 8f3230e5767d5938a70769249ed6f479d2925647 Mon Sep 17 00:00:00 2001
+From: Dom <dominik@qreativelab.io>
+Date: Mon, 4 May 2026 03:54:06 -0400
+Subject: [PATCH] parser_lyb: fix integer overflow and OOM in
+ lyb_read_string/lyb_read_value
+
+lyb_read_string: when str_len == UINT32_MAX, (str_len + 1) wraps to 0,
+malloc(0) returns non-NULL, and the subsequent write to (*str)[UINT32_MAX]
+causes a WRITE SEGV (memory corruption).
+
+lyb_read_value: when lyb_size_bits == UINT32_MAX with VARIABLE_BYTES,
+LYPLG_BITS2BYTES() produces ~4 GiB, causing calloc to attempt a 4 GiB
+allocation which triggers OOM / DoS.
+
+Both paths are reachable by supplying a malformed LYB input with
+length field set to 0xFFFFFFFF.
+
+Reported-by: Dominik Blain <dominik@qreativelab.io>, Cobalt AI
+---
+ src/parser_lyb.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/parser_lyb.c b/src/parser_lyb.c
+index 788be9499..be9ec37b8 100644
+--- a/src/parser_lyb.c
++++ b/src/parser_lyb.c
+@@ -217,6 +217,9 @@ lyb_read_string(char **str, uint8_t len_size, struct lylyb_ctx *lybctx)
+ 
+     lyb_read_number(&len, sizeof len, len_size, lybctx);
+ 
++    /* len + 1 wraps to 0 when len == UINT64_MAX, causing malloc(0) followed by an out-of-bounds write */
++    LY_CHECK_ERR_RET(len == UINT64_MAX, LOGERR(lybctx->ctx, LY_EINVAL, "LYB string length overflow."), LY_EINVAL);
++
+     *str = malloc((len + 1) * sizeof **str);
+     LY_CHECK_ERR_RET(!*str, LOGMEM(lybctx->ctx), LY_EMEM);
+ 
+@@ -281,6 +284,11 @@ lyb_read_term_value(const struct lysc_node_leaf *term, uint8_t **term_value, uin
+         *term_value_len = lyb_data_len;
+     }
+ 
++    /* *term_value_len + 1 can overflow when *term_value_len == UINT32_MAX,
++     * causing malloc to attempt a huge allocation (OOM / DoS) */
++    LY_CHECK_ERR_RET(*term_value_len >= UINT32_MAX,
++            LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
++
+     /* Allocate memory. */
+     allocated_size = *term_value_len + 1;
+     *term_value = malloc(allocated_size * sizeof **term_value);
+-- 
+2.52.0
+
diff --git a/libyang.spec b/libyang.spec
index 5b93dc0..0666399 100644
--- a/libyang.spec
+++ b/libyang.spec
@@ -8,12 +8,15 @@
 
 Name: libyang
 Version: 2.1.148
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: YANG data modeling language library
 Url: https://github.com/CESNET/libyang
 Source: %{url}/archive/v%{version}.tar.gz
 License: BSD
 
+# https://github.com/CESNET/libyang/pull/2513
+Patch0: RHEL-177019.patch
+
 BuildRequires:  cmake
 BuildRequires:  doxygen
 BuildRequires:  pcre2-devel
@@ -100,6 +103,10 @@ cp -r doc/html %{buildroot}/%{_docdir}/libyang/html
 %{_docdir}/libyang
 
 %changelog
+* Wed May 27 2026 Michal Ruprich <mruprich@redhat.com> - 2.1.148-2
+- Fix integer overflow and OOM in LYB parser string/value reading
+- Resolves: RHEL-177018
+
 * Fri Nov 07 2025 Michal Ruprich <mruprich@redhat.com> - 2.1.148-1
 - Resolves: RHEL-126845 - Rebase libyang to version 2.1.148