1 Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
2 The heap overflow is caused by not properly expanding a string before
3 writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
4 Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
5 Author: Salvatore Bonaccorso <carnil@debian.org>
6 Last-Update: 2014-03-20
7 Applied-Upstream: 0.1.6
12 /* Check if it is a URI-escape sequence. */
14 if (CHECK(parser->buffer, '%')) {
15 + if (!STRING_EXTEND(parser, string))
18 if (!yaml_parser_scan_uri_escapes(parser,
19 directive, start_mark, &string)) goto error;
21 --- a/src/yaml_private.h
22 +++ b/src/yaml_private.h
24 (string).start = (string).pointer = (string).end = 0)
26 #define STRING_EXTEND(context,string) \
27 - (((string).pointer+5 < (string).end) \
28 + ((((string).pointer+5 < (string).end) \
29 || yaml_string_extend(&(string).start, \
30 - &(string).pointer, &(string).end))
31 + &(string).pointer, &(string).end)) ? \
33 + ((context)->error = YAML_MEMORY_ERROR, \
36 #define CLEAR(context,string) \
37 ((string).pointer = (string).start, \