perl-YAML-LibYAML/YAML-LibYAML-0.41-CVE-2014-2525.patch

39 lines
1.8 KiB
Diff
Raw Normal View History

Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
The heap overflow is caused by not properly expanding a string before
writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2014-03-20
Applied-Upstream: 0.1.6
--- LibYAML/scanner.c
+++ LibYAML/scanner.c
@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
/* Check if it is a URI-escape sequence. */
if (CHECK(parser->buffer, '%')) {
+ if (!STRING_EXTEND(parser, string))
+ goto error;
+
if (!yaml_parser_scan_uri_escapes(parser,
directive, start_mark, &string)) goto error;
}
--- LibYAML/yaml_private.h
+++ LibYAML/yaml_private.h
@@ -132,9 +132,12 @@ yaml_string_join(
(string).start = (string).pointer = (string).end = 0)
#define STRING_EXTEND(context,string) \
- (((string).pointer+5 < (string).end) \
+ ((((string).pointer+5 < (string).end) \
|| yaml_string_extend(&(string).start, \
- &(string).pointer, &(string).end))
+ &(string).pointer, &(string).end)) ? \
+ 1 : \
+ ((context)->error = YAML_MEMORY_ERROR, \
+ 0))
#define CLEAR(context,string) \
((string).pointer = (string).start, \