83209f9f6c
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
|
|
This is a hardening patch also from Florian Weimer
|
|
<fweimer@redhat.com>. It is not required to fix this CVE however it
|
|
improves the robustness of the code against future issues by avoiding
|
|
large node ID's in a central place.
|
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
|
Last-Update: 2014-01-29
|
|
---
|
|
# HG changeset patch
|
|
# User Florian Weimer <fweimer@redhat.com>
|
|
# Date 1389274355 -3600
|
|
# Thu Jan 09 14:32:35 2014 +0100
|
|
# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
|
|
# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
|
|
yaml_stack_extend: guard against integer overflow
|
|
|
|
diff --git a/src/api.c b/src/api.c
|
|
--- a/src/api.c
|
|
+++ b/src/api.c
|
|
@@ -117,7 +117,12 @@
|
|
YAML_DECLARE(int)
|
|
yaml_stack_extend(void **start, void **top, void **end)
|
|
{
|
|
- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
|
+ void *new_start;
|
|
+
|
|
+ if ((char *)*end - (char *)*start >= INT_MAX / 2)
|
|
+ return 0;
|
|
+
|
|
+ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
|
|
|
if (!new_start) return 0;
|
|
|