andersk / libyaml.git / blame
| Commit | Line | Data |
|---|---|---|
| 4690e8e8 AK |
1 | Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow |
| 2 | This is a proposed patch from Florian Weimer <fweimer@redhat.com> for | |
| 3 | the string overflow issue. It has been ack'd by upstream. | |
| 4 | Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
| 5 | Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 | |
| 6 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 | |
| 7 | Last-Update: 2014-01-29 | |
| 8 | --- | |
| 9 | # HG changeset patch | |
| 10 | # User Florian Weimer <fweimer@redhat.com> | |
| 11 | # Date 1389273500 -3600 | |
| 12 | # Thu Jan 09 14:18:20 2014 +0100 | |
| 13 | # Node ID a54d7af707f25dc298a7be60fd152001d2b3035b | |
| 14 | # Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 | |
| 15 | yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow | |
| 16 | ||
| 17 | diff --git a/src/scanner.c b/src/scanner.c | |
| 18 | --- a/src/scanner.c | |
| 19 | +++ b/src/scanner.c | |
| 20 | @@ -2574,7 +2574,7 @@ | |
| 21 | ||
| 22 | /* Resize the string to include the head. */ | |
| 23 | ||
| 24 | - while (string.end - string.start <= (int)length) { | |
| 25 | + while ((size_t)(string.end - string.start) <= length) { | |
| 26 | if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { | |
| 27 | parser->error = YAML_MEMORY_ERROR; | |
| 28 | goto error; |