# HG changeset patch # User Kirill Simonov # Date 1391406104 21600 # Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2 # Parent da9bc6f12781a583076c7b60d057df5d7b50f96f Guard against overflows in indent and flow_level. --- LibYAML/scanner.c +++ LibYAML/scanner.c @@ -615,11 +615,11 @@ */ static int -yaml_parser_roll_indent(yaml_parser_t *parser, int column, - int number, yaml_token_type_t type, yaml_mark_t mark); +yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, + ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark); static int -yaml_parser_unroll_indent(yaml_parser_t *parser, int column); +yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column); /* * Token fetchers. @@ -1103,7 +1103,7 @@ */ int required = (!parser->flow_level - && parser->indent == (int)parser->mark.column); + && parser->indent == (ptrdiff_t)parser->mark.column); /* * A simple key is required only when it is the first token in the current @@ -1176,6 +1176,9 @@ /* Increase the flow level. */ + if (parser->flow_level == INT_MAX) + return 0; + parser->flow_level++; return 1; @@ -1206,8 +1209,8 @@ */ static int -yaml_parser_roll_indent(yaml_parser_t *parser, int column, - int number, yaml_token_type_t type, yaml_mark_t mark) +yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, + ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark) { yaml_token_t token; @@ -1226,6 +1229,9 @@ if (!PUSH(parser, parser->indents, parser->indent)) return 0; + if (column > INT_MAX) + return 0; + parser->indent = column; /* Create a token and insert it into the queue. */ @@ -1254,7 +1260,7 @@ static int -yaml_parser_unroll_indent(yaml_parser_t *parser, int column) +yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column) { yaml_token_t token; --- LibYAML/yaml_private.h +++ LibYAML/yaml_private.h @@ -7,6 +7,7 @@ #include #include +#include /* * Memory management. # HG changeset patch # User Kirill Simonov # Date 1391409843 21600 # Node ID af3599437a87162554787c52d8b16eab553f537b # Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c Forgot to set the error state. --- LibYAML/scanner.c +++ LibYAML/scanner.c @@ -1176,8 +1176,10 @@ /* Increase the flow level. */ - if (parser->flow_level == INT_MAX) + if (parser->flow_level == INT_MAX) { + parser->error = YAML_MEMORY_ERROR; return 0; + } parser->flow_level++; @@ -1229,8 +1231,10 @@ if (!PUSH(parser, parser->indents, parser->indent)) return 0; - if (column > INT_MAX) + if (column > INT_MAX) { + parser->error = YAML_MEMORY_ERROR; return 0; + } parser->indent = column; Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow This is a hardening patch also from Florian Weimer . It is not required to fix this CVE however it improves the robustness of the code against future issues by avoiding large node ID's in a central place. Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 Last-Update: 2014-01-29 --- # HG changeset patch # User Florian Weimer # Date 1389274355 -3600 # Thu Jan 09 14:32:35 2014 +0100 # Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2 # Parent a54d7af707f25dc298a7be60fd152001d2b3035b yaml_stack_extend: guard against integer overflow --- LibYAML/api.c +++ LIBYAML/api.c @@ -117,7 +117,12 @@ YAML_DECLARE(int) yaml_stack_extend(void **start, void **top, void **end) { - void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); + void *new_start; + + if ((char *)*end - (char *)*start >= INT_MAX / 2) + return 0; + + new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); if (!new_start) return 0; Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow This is a proposed patch from Florian Weimer for the string overflow issue. It has been ack'd by upstream. Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 Last-Update: 2014-01-29 --- # HG changeset patch # User Florian Weimer # Date 1389273500 -3600 # Thu Jan 09 14:18:20 2014 +0100 # Node ID a54d7af707f25dc298a7be60fd152001d2b3035b # Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow --- LibYAML/scanner.c +++ LibYAML/scanner.c @@ -2621,7 +2621,7 @@ /* Resize the string to include the head. */ - while (string.end - string.start <= (int)length) { + while ((size_t)(string.end - string.start) <= length) { if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { parser->error = YAML_MEMORY_ERROR; goto error;