Files
Kang Kai 47cc7a8d16 libyaml: add fix for CVE-2014-2525 Security Advisory
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
in LibYAML before 0.1.6 allows context-dependent attackers to execute
arbitrary code via a long sequence of percent-encoded characters in a
URI in a YAML file.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2525

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2014-11-07 15:05:46 +01:00

43 lines
1.8 KiB
Diff

Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function
in LibYAML before 0.1.6 allows context-dependent attackers to execute
arbitrary code via a long sequence of percent-encoded characters in a
URI in a YAML file.
Upstream-Status: Backport
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
diff --git a/src/scanner.c.old b/src/scanner.c
index a2e8619..c6cde3b 100644
--- a/src/scanner.c.old
+++ b/src/scanner.c
@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
/* Check if it is a URI-escape sequence. */
if (CHECK(parser->buffer, '%')) {
+ if (!STRING_EXTEND(parser, string))
+ goto error;
+
if (!yaml_parser_scan_uri_escapes(parser,
directive, start_mark, &string)) goto error;
}
diff --git a/src/yaml_private.h.old b/src/yaml_private.h
index ed5ea66..d72acb4 100644
--- a/src/yaml_private.h.old
+++ b/src/yaml_private.h
@@ -132,9 +132,12 @@ yaml_string_join(
(string).start = (string).pointer = (string).end = 0)
#define STRING_EXTEND(context,string) \
- (((string).pointer+5 < (string).end) \
+ ((((string).pointer+5 < (string).end) \
|| yaml_string_extend(&(string).start, \
- &(string).pointer, &(string).end))
+ &(string).pointer, &(string).end)) ? \
+ 1 : \
+ ((context)->error = YAML_MEMORY_ERROR, \
+ 0))
#define CLEAR(context,string) \
((string).pointer = (string).start, \