aboutsummaryrefslogtreecommitdiff
path: root/package/libyaml/libyaml-0002-node-id-hardening.patch
blob: 53b8aa81eef38ebfb4f6271a6aec28e4fa4bb357 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
 This is a hardening patch also from Florian Weimer
 <fweimer@redhat.com>.  It is not required to fix this CVE however it
 improves the robustness of the code against future issues by avoiding
 large node ID's in a central place.
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
Last-Update: 2014-01-29
---
# HG changeset patch
# User Florian Weimer <fweimer@redhat.com>
# Date 1389274355 -3600
#      Thu Jan 09 14:32:35 2014 +0100
# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
# Parent  a54d7af707f25dc298a7be60fd152001d2b3035b
yaml_stack_extend: guard against integer overflow

diff --git a/src/api.c b/src/api.c
--- a/src/api.c
+++ b/src/api.c
@@ -117,7 +117,12 @@
 YAML_DECLARE(int)
 yaml_stack_extend(void **start, void **top, void **end)
 {
-    void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
+    void *new_start;
+
+    if ((char *)*end - (char *)*start >= INT_MAX / 2)
+	return 0;
+
+    new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
 
     if (!new_start) return 0;