Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan Fratric of the Googl...

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d30c5362dd089011ec973c883fd55c5646759c19..e84c28cd054cc959ebc706e9929955a4bf297cba 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,7 +5,7 @@ project (yaml C)
 
 set (YAML_VERSION_MAJOR 0)
 set (YAML_VERSION_MINOR 1)
-set (YAML_VERSION_PATCH 4)
+set (YAML_VERSION_PATCH 6)
 set (YAML_VERSION_STRING "${YAML_VERSION_MAJOR}.${YAML_VERSION_MINOR}.${YAML_VERSION_PATCH}")
 
 file (GLOB SRC src/*.c)

diff --git a/configure.ac b/configure.ac
index e7db798231da19a873bd26eee150da66cdbdf67e..dd1aca05c71477e54f9b58df9ae19843ec37c28b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@
 # Define the package version numbers and the bug reporting link.
 m4_define([YAML_MAJOR], 0)
 m4_define([YAML_MINOR], 1)
-m4_define([YAML_PATCH], 5)
+m4_define([YAML_PATCH], 6)
 m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 
 # Define the libtool version numbers; check the Autobook, Section 11.4.
@@ -19,7 +19,7 @@ m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 #           YAML_AGE = 0
 m4_define([YAML_RELEASE], 0)
 m4_define([YAML_CURRENT], 2)
-m4_define([YAML_REVISION], 3)
+m4_define([YAML_REVISION], 4)
 m4_define([YAML_AGE], 0)
 
 # Initialize autoconf & automake.

diff --git a/src/scanner.c b/src/scanner.c
index 8817de242cbc489f021ba46e2795fff73cdabe73..88d4fa5df24cb68f752135978f5f17e7e68810a1 100644 (file)
--- a/src/scanner.c
+++ b/src/scanner.c
@@ -2629,6 +2629,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
         /* Check if it is a URI-escape sequence. */
 
         if (CHECK(parser->buffer, '%')) {
+            if (!STRING_EXTEND(parser, string))
+                goto error;
+
             if (!yaml_parser_scan_uri_escapes(parser,
                         directive, start_mark, &string)) goto error;
         }

diff --git a/src/yaml_private.h b/src/yaml_private.h
index 9589e052fec050bbb785466a24da84d5cc4ed6ee..f0e10010242a59f6e9c2e7d8ceca0fd198786bd4 100644 (file)
--- a/src/yaml_private.h
+++ b/src/yaml_private.h
@@ -143,9 +143,12 @@ yaml_string_join(
      (string).start = (string).pointer = (string).end = 0)
 
 #define STRING_EXTEND(context,string)                                           \
-    (((string).pointer+5 < (string).end)                                        \
+    ((((string).pointer+5 < (string).end)                                       \
         || yaml_string_extend(&(string).start,                                  \
-            &(string).pointer, &(string).end))
+            &(string).pointer, &(string).end)) ?                                \
+         1 :                                                                    \
+        ((context)->error = YAML_MEMORY_ERROR,                                  \
+         0))
 
 #define CLEAR(context,string)                                                   \
     ((string).pointer = (string).start,                                         \

diff --git a/win32/config.h b/win32/config.h
index c55155135b3939a5546b568479b705a946838bd5..2459f4928f9a8b5e4e621b0f4f954fa58d2cb5cb 100644 (file)
--- a/win32/config.h
+++ b/win32/config.h
@@ -1,4 +1,4 @@
 #define YAML_VERSION_MAJOR 0
 #define YAML_VERSION_MINOR 1
-#define YAML_VERSION_PATCH 5
-#define YAML_VERSION_STRING "0.1.5"
+#define YAML_VERSION_PATCH 6
+#define YAML_VERSION_STRING "0.1.6"