andersk / libyaml.git / blame
| Commit | Line | Data |
|---|---|---|
| 4690e8e8 AK |
1 | Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow |
| 2 | This is a hardening patch also from Florian Weimer | |
| 3 | <fweimer@redhat.com>. It is not required to fix this CVE however it | |
| 4 | improves the robustness of the code against future issues by avoiding | |
| 5 | large node ID's in a central place. | |
| 6 | Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
| 7 | Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
| 8 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 | |
| 9 | Last-Update: 2014-01-29 | |
| 10 | --- | |
| 11 | # HG changeset patch | |
| 12 | # User Florian Weimer <fweimer@redhat.com> | |
| 13 | # Date 1389274355 -3600 | |
| 14 | # Thu Jan 09 14:32:35 2014 +0100 | |
| 15 | # Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2 | |
| 16 | # Parent a54d7af707f25dc298a7be60fd152001d2b3035b | |
| 17 | yaml_stack_extend: guard against integer overflow | |
| 18 | ||
| 19 | diff --git a/src/api.c b/src/api.c | |
| 20 | --- a/src/api.c | |
| 21 | +++ b/src/api.c | |
| 22 | @@ -117,7 +117,12 @@ | |
| 23 | YAML_DECLARE(int) | |
| 24 | yaml_stack_extend(void **start, void **top, void **end) | |
| 25 | { | |
| 26 | - void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); | |
| 27 | + void *new_start; | |
| 28 | + | |
| 29 | + if ((char *)*end - (char *)*start >= INT_MAX / 2) | |
| 30 | + return 0; | |
| 31 | + | |
| 32 | + new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); | |
| 33 | ||
| 34 | if (!new_start) return 0; | |
| 35 |