]>
Commit | Line | Data |
---|---|---|
4690e8e8 AK |
1 | Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow |
2 | This is a proposed patch from Florian Weimer <fweimer@redhat.com> for | |
3 | the string overflow issue. It has been ack'd by upstream. | |
4 | Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
5 | Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
6 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 | |
7 | Last-Update: 2014-01-29 | |
8 | --- | |
9 | # HG changeset patch | |
10 | # User Florian Weimer <fweimer@redhat.com> | |
11 | # Date 1389273500 -3600 | |
12 | # Thu Jan 09 14:18:20 2014 +0100 | |
13 | # Node ID a54d7af707f25dc298a7be60fd152001d2b3035b | |
14 | # Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 | |
15 | yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow | |
16 | ||
17 | diff --git a/src/scanner.c b/src/scanner.c | |
18 | --- a/src/scanner.c | |
19 | +++ b/src/scanner.c | |
20 | @@ -2574,7 +2574,7 @@ | |
21 | ||
22 | /* Resize the string to include the head. */ | |
23 | ||
24 | - while (string.end - string.start <= (int)length) { | |
25 | + while ((size_t)(string.end - string.start) <= length) { | |
26 | if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { | |
27 | parser->error = YAML_MEMORY_ERROR; | |
28 | goto error; |