From: Kirill Simonov <xi@resolvent.net>
Date: Wed, 26 Mar 2014 12:03:17 +0000 (-0500)
Subject: Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan Fratric of the Googl... 
X-Git-Tag: upstream/0.1.6^2
X-Git-Url: http://andersk.mit.edu/gitweb/libyaml.git/commitdiff_plain/d1003a9d40b674520934f4f38ffc4ff2a809bc2d

Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan Fratric of the Google Security Team).
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d30c536..e84c28c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,7 +5,7 @@ project (yaml C)
 
 set (YAML_VERSION_MAJOR 0)
 set (YAML_VERSION_MINOR 1)
-set (YAML_VERSION_PATCH 4)
+set (YAML_VERSION_PATCH 6)
 set (YAML_VERSION_STRING "${YAML_VERSION_MAJOR}.${YAML_VERSION_MINOR}.${YAML_VERSION_PATCH}")
 
 file (GLOB SRC src/*.c)
diff --git a/configure.ac b/configure.ac
index e7db798..dd1aca0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@
 # Define the package version numbers and the bug reporting link.
 m4_define([YAML_MAJOR], 0)
 m4_define([YAML_MINOR], 1)
-m4_define([YAML_PATCH], 5)
+m4_define([YAML_PATCH], 6)
 m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 
 # Define the libtool version numbers; check the Autobook, Section 11.4.
@@ -19,7 +19,7 @@ m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 #           YAML_AGE = 0
 m4_define([YAML_RELEASE], 0)
 m4_define([YAML_CURRENT], 2)
-m4_define([YAML_REVISION], 3)
+m4_define([YAML_REVISION], 4)
 m4_define([YAML_AGE], 0)
 
 # Initialize autoconf & automake.
diff --git a/src/scanner.c b/src/scanner.c
index 8817de2..88d4fa5 100644
--- a/src/scanner.c
+++ b/src/scanner.c
@@ -2629,6 +2629,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
         /* Check if it is a URI-escape sequence. */
 
         if (CHECK(parser->buffer, '%')) {
+            if (!STRING_EXTEND(parser, string))
+                goto error;
+
             if (!yaml_parser_scan_uri_escapes(parser,
                         directive, start_mark, &string)) goto error;
         }
diff --git a/src/yaml_private.h b/src/yaml_private.h
index 9589e05..f0e1001 100644
--- a/src/yaml_private.h
+++ b/src/yaml_private.h
@@ -143,9 +143,12 @@ yaml_string_join(
      (string).start = (string).pointer = (string).end = 0)
 
 #define STRING_EXTEND(context,string)                                           \
-    (((string).pointer+5 < (string).end)                                        \
+    ((((string).pointer+5 < (string).end)                                       \
         || yaml_string_extend(&(string).start,                                  \
-            &(string).pointer, &(string).end))
+            &(string).pointer, &(string).end)) ?                                \
+         1 :                                                                    \
+        ((context)->error = YAML_MEMORY_ERROR,                                  \
+         0))
 
 #define CLEAR(context,string)                                                   \
     ((string).pointer = (string).start,                                         \
diff --git a/win32/config.h b/win32/config.h
index c551551..2459f49 100644
--- a/win32/config.h
+++ b/win32/config.h
@@ -1,4 +1,4 @@
 #define YAML_VERSION_MAJOR 0
 #define YAML_VERSION_MINOR 1
-#define YAML_VERSION_PATCH 5
-#define YAML_VERSION_STRING "0.1.5"
+#define YAML_VERSION_PATCH 6
+#define YAML_VERSION_STRING "0.1.6"