da43da31bb
- Fix LibYAML input sanitization errors (CVE-2014-2525) - Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
178 lines
5.2 KiB
Diff
178 lines
5.2 KiB
Diff
# HG changeset patch
|
|
# User Kirill Simonov <xi@resolvent.net>
|
|
# Date 1391406104 21600
|
|
# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
|
|
# Parent da9bc6f12781a583076c7b60d057df5d7b50f96f
|
|
Guard against overflows in indent and flow_level.
|
|
|
|
--- LibYAML/scanner.c
|
|
+++ LibYAML/scanner.c
|
|
@@ -615,11 +615,11 @@
|
|
*/
|
|
|
|
static int
|
|
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
|
|
- int number, yaml_token_type_t type, yaml_mark_t mark);
|
|
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
|
|
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
|
|
|
|
static int
|
|
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
|
|
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
|
|
|
|
/*
|
|
* Token fetchers.
|
|
@@ -1103,7 +1103,7 @@
|
|
*/
|
|
|
|
int required = (!parser->flow_level
|
|
- && parser->indent == (int)parser->mark.column);
|
|
+ && parser->indent == (ptrdiff_t)parser->mark.column);
|
|
|
|
/*
|
|
* A simple key is required only when it is the first token in the current
|
|
@@ -1176,6 +1176,9 @@
|
|
|
|
/* Increase the flow level. */
|
|
|
|
+ if (parser->flow_level == INT_MAX)
|
|
+ return 0;
|
|
+
|
|
parser->flow_level++;
|
|
|
|
return 1;
|
|
@@ -1206,8 +1209,8 @@
|
|
*/
|
|
|
|
static int
|
|
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
|
|
- int number, yaml_token_type_t type, yaml_mark_t mark)
|
|
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
|
|
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
|
|
{
|
|
yaml_token_t token;
|
|
|
|
@@ -1226,6 +1229,9 @@
|
|
if (!PUSH(parser, parser->indents, parser->indent))
|
|
return 0;
|
|
|
|
+ if (column > INT_MAX)
|
|
+ return 0;
|
|
+
|
|
parser->indent = column;
|
|
|
|
/* Create a token and insert it into the queue. */
|
|
@@ -1254,7 +1260,7 @@
|
|
|
|
|
|
static int
|
|
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
|
|
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
|
|
{
|
|
yaml_token_t token;
|
|
|
|
--- LibYAML/yaml_private.h
|
|
+++ LibYAML/yaml_private.h
|
|
@@ -7,6 +7,7 @@
|
|
|
|
#include <assert.h>
|
|
#include <limits.h>
|
|
+#include <stddef.h>
|
|
|
|
/*
|
|
* Memory management.
|
|
# HG changeset patch
|
|
# User Kirill Simonov <xi@resolvent.net>
|
|
# Date 1391409843 21600
|
|
# Node ID af3599437a87162554787c52d8b16eab553f537b
|
|
# Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
|
|
Forgot to set the error state.
|
|
|
|
--- LibYAML/scanner.c
|
|
+++ LibYAML/scanner.c
|
|
@@ -1176,8 +1176,10 @@
|
|
|
|
/* Increase the flow level. */
|
|
|
|
- if (parser->flow_level == INT_MAX)
|
|
+ if (parser->flow_level == INT_MAX) {
|
|
+ parser->error = YAML_MEMORY_ERROR;
|
|
return 0;
|
|
+ }
|
|
|
|
parser->flow_level++;
|
|
|
|
@@ -1229,8 +1231,10 @@
|
|
if (!PUSH(parser, parser->indents, parser->indent))
|
|
return 0;
|
|
|
|
- if (column > INT_MAX)
|
|
+ if (column > INT_MAX) {
|
|
+ parser->error = YAML_MEMORY_ERROR;
|
|
return 0;
|
|
+ }
|
|
|
|
parser->indent = column;
|
|
|
|
Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
|
|
This is a hardening patch also from Florian Weimer
|
|
<fweimer@redhat.com>. It is not required to fix this CVE however it
|
|
improves the robustness of the code against future issues by avoiding
|
|
large node ID's in a central place.
|
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
|
Last-Update: 2014-01-29
|
|
---
|
|
# HG changeset patch
|
|
# User Florian Weimer <fweimer@redhat.com>
|
|
# Date 1389274355 -3600
|
|
# Thu Jan 09 14:32:35 2014 +0100
|
|
# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
|
|
# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
|
|
yaml_stack_extend: guard against integer overflow
|
|
|
|
--- LibYAML/api.c
|
|
+++ LIBYAML/api.c
|
|
@@ -117,7 +117,12 @@
|
|
YAML_DECLARE(int)
|
|
yaml_stack_extend(void **start, void **top, void **end)
|
|
{
|
|
- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
|
+ void *new_start;
|
|
+
|
|
+ if ((char *)*end - (char *)*start >= INT_MAX / 2)
|
|
+ return 0;
|
|
+
|
|
+ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
|
|
|
if (!new_start) return 0;
|
|
|
|
Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
|
This is a proposed patch from Florian Weimer <fweimer@redhat.com> for
|
|
the string overflow issue. It has been ack'd by upstream.
|
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
|
Last-Update: 2014-01-29
|
|
---
|
|
# HG changeset patch
|
|
# User Florian Weimer <fweimer@redhat.com>
|
|
# Date 1389273500 -3600
|
|
# Thu Jan 09 14:18:20 2014 +0100
|
|
# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
|
|
# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
|
|
yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
|
|
|
--- LibYAML/scanner.c
|
|
+++ LibYAML/scanner.c
|
|
@@ -2621,7 +2621,7 @@
|
|
|
|
/* Resize the string to include the head. */
|
|
|
|
- while (string.end - string.start <= (int)length) {
|
|
+ while ((size_t)(string.end - string.start) <= length) {
|
|
if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
|
|
parser->error = YAML_MEMORY_ERROR;
|
|
goto error;
|