]>
Commit | Line | Data |
---|---|---|
4690e8e8 AK |
1 | Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow |
2 | This is a hardening patch also from Florian Weimer | |
3 | <fweimer@redhat.com>. It is not required to fix this CVE however it | |
4 | improves the robustness of the code against future issues by avoiding | |
5 | large node ID's in a central place. | |
6 | Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
7 | Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
8 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 | |
9 | Last-Update: 2014-01-29 | |
10 | --- | |
11 | # HG changeset patch | |
12 | # User Florian Weimer <fweimer@redhat.com> | |
13 | # Date 1389274355 -3600 | |
14 | # Thu Jan 09 14:32:35 2014 +0100 | |
15 | # Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2 | |
16 | # Parent a54d7af707f25dc298a7be60fd152001d2b3035b | |
17 | yaml_stack_extend: guard against integer overflow | |
18 | ||
19 | diff --git a/src/api.c b/src/api.c | |
20 | --- a/src/api.c | |
21 | +++ b/src/api.c | |
22 | @@ -117,7 +117,12 @@ | |
23 | YAML_DECLARE(int) | |
24 | yaml_stack_extend(void **start, void **top, void **end) | |
25 | { | |
26 | - void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); | |
27 | + void *new_start; | |
28 | + | |
29 | + if ((char *)*end - (char *)*start >= INT_MAX / 2) | |
30 | + return 0; | |
31 | + | |
32 | + new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); | |
33 | ||
34 | if (!new_start) return 0; | |
35 |