From 9c33a12015768299d4ee1d00177293274f5338c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Jul 2023 14:17:15 +0100
Subject: [PATCH] Fix integer overflow leading to heap corruption
 (CVE-2022-24795)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 0006-Fix-CVE-2022-24795.patch | 60 +++++++++++++++++++++++++++++++++++
 yajl.spec                     |  2 ++
 2 files changed, 62 insertions(+)
 create mode 100644 0006-Fix-CVE-2022-24795.patch

diff --git a/0006-Fix-CVE-2022-24795.patch b/0006-Fix-CVE-2022-24795.patch
new file mode 100644
index 0000000..704e884
--- /dev/null
+++ b/0006-Fix-CVE-2022-24795.patch
@@ -0,0 +1,60 @@
+From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH 6/8] Fix CVE-2022-24795
+
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+
+This patch catches the integer overflow and terminates the process
+with abort().
+
+https://github.com/lloyd/yajl/issues/239
+https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
+(cherry picked from commit 23cea2d7677e396efed78bbf1bf153961fab6bad
+ in https://github.com/ppisar/yajl)
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde..55c11ad 100644
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
+-- 
+2.41.0
+
diff --git a/yajl.spec b/yajl.spec
index acb531f..72e4232 100644
--- a/yajl.spec
+++ b/yajl.spec
@@ -26,6 +26,7 @@ Patch: 0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
 Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
 Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
 Patch: 0005-Fix-for-CVE-2017-16516.patch
+Patch: 0006-Fix-CVE-2022-24795.patch
 
 BuildRequires: gcc
 BuildRequires: cmake
@@ -97,6 +98,7 @@ cd test
 * Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21
 - Switch to using git for managing patches
 - Fix potential buffer overread (CVE-2017-16516)
+- Fix integer overflow leading to heap corruption (CVE-2022-24795)
 
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild