Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes The heap overflow is caused by not properly expanding a string before writing to it in function yaml_parser_scan_uri_escapes in scanner.c. Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 Author: Salvatore Bonaccorso Last-Update: 2014-03-20 Applied-Upstream: 0.1.6 --- LibYAML/scanner.c +++ LibYAML/scanner.c @@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t * /* Check if it is a URI-escape sequence. */ if (CHECK(parser->buffer, '%')) { + if (!STRING_EXTEND(parser, string)) + goto error; + if (!yaml_parser_scan_uri_escapes(parser, directive, start_mark, &string)) goto error; } --- LibYAML/yaml_private.h +++ LibYAML/yaml_private.h @@ -132,9 +132,12 @@ yaml_string_join( (string).start = (string).pointer = (string).end = 0) #define STRING_EXTEND(context,string) \ - (((string).pointer+5 < (string).end) \ + ((((string).pointer+5 < (string).end) \ || yaml_string_extend(&(string).start, \ - &(string).pointer, &(string).end)) + &(string).pointer, &(string).end)) ? \ + 1 : \ + ((context)->error = YAML_MEMORY_ERROR, \ + 0)) #define CLEAR(context,string) \ ((string).pointer = (string).start, \