39 lines
1.8 KiB
Diff
39 lines
1.8 KiB
Diff
|
Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
|
||
|
The heap overflow is caused by not properly expanding a string before
|
||
|
writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
|
||
|
|
||
|
Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
|
||
|
Author: Salvatore Bonaccorso <carnil@debian.org>
|
||
|
Last-Update: 2014-03-20
|
||
|
Applied-Upstream: 0.1.6
|
||
|
|
||
|
--- LibYAML/scanner.c
|
||
|
+++ LibYAML/scanner.c
|
||
|
@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
|
||
|
/* Check if it is a URI-escape sequence. */
|
||
|
|
||
|
if (CHECK(parser->buffer, '%')) {
|
||
|
+ if (!STRING_EXTEND(parser, string))
|
||
|
+ goto error;
|
||
|
+
|
||
|
if (!yaml_parser_scan_uri_escapes(parser,
|
||
|
directive, start_mark, &string)) goto error;
|
||
|
}
|
||
|
--- LibYAML/yaml_private.h
|
||
|
+++ LibYAML/yaml_private.h
|
||
|
@@ -132,9 +132,12 @@ yaml_string_join(
|
||
|
(string).start = (string).pointer = (string).end = 0)
|
||
|
|
||
|
#define STRING_EXTEND(context,string) \
|
||
|
- (((string).pointer+5 < (string).end) \
|
||
|
+ ((((string).pointer+5 < (string).end) \
|
||
|
|| yaml_string_extend(&(string).start, \
|
||
|
- &(string).pointer, &(string).end))
|
||
|
+ &(string).pointer, &(string).end)) ? \
|
||
|
+ 1 : \
|
||
|
+ ((context)->error = YAML_MEMORY_ERROR, \
|
||
|
+ 0))
|
||
|
|
||
|
#define CLEAR(context,string) \
|
||
|
((string).pointer = (string).start, \
|