83209f9f6c
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
29 lines
1.1 KiB
Diff
29 lines
1.1 KiB
Diff
Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
|
This is a proposed patch from Florian Weimer <fweimer@redhat.com> for
|
|
the string overflow issue. It has been ack'd by upstream.
|
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
|
Last-Update: 2014-01-29
|
|
---
|
|
# HG changeset patch
|
|
# User Florian Weimer <fweimer@redhat.com>
|
|
# Date 1389273500 -3600
|
|
# Thu Jan 09 14:18:20 2014 +0100
|
|
# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
|
|
# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
|
|
yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
|
|
|
diff --git a/src/scanner.c b/src/scanner.c
|
|
--- a/src/scanner.c
|
|
+++ b/src/scanner.c
|
|
@@ -2574,7 +2574,7 @@
|
|
|
|
/* Resize the string to include the head. */
|
|
|
|
- while (string.end - string.start <= (int)length) {
|
|
+ while ((size_t)(string.end - string.start) <= length) {
|
|
if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
|
|
parser->error = YAML_MEMORY_ERROR;
|
|
goto error;
|