44 lines
1.7 KiB
Diff
44 lines
1.7 KiB
Diff
From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
Date: Mon, 10 Jul 2023 13:36:10 +0100
|
|
Subject: [PATCH 5/8] Fix for CVE-2017-16516
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Description: Fix for CVE-2017-16516
|
|
Potential buffer overread: A JSON file can cause denial of service.
|
|
Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
|
|
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
|
|
Bug: https://github.com/lloyd/yajl/issues/248
|
|
|
|
Patch taken from Debian package source
|
|
|
|
NB, Fedora code can't trigger the reported aborts since it passes the
|
|
-DNDEBUG flag, but pulling the fix for robustness in case a future
|
|
change enables the assert()s.
|
|
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
---
|
|
src/yajl_encode.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/yajl_encode.c b/src/yajl_encode.c
|
|
index fd08258..0d97cc5 100644
|
|
--- a/src/yajl_encode.c
|
|
+++ b/src/yajl_encode.c
|
|
@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
|
|
end+=3;
|
|
/* check if this is a surrogate */
|
|
if ((codepoint & 0xFC00) == 0xD800) {
|
|
- end++;
|
|
- if (str[end] == '\\' && str[end + 1] == 'u') {
|
|
+ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
|
|
+ end++;
|
|
unsigned int surrogate = 0;
|
|
hexToDigit(&surrogate, str + end + 2);
|
|
codepoint =
|
|
--
|
|
2.41.0
|
|
|