Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan Frat…

…ric of the Google Security Team).
yaml · Mar 26, 2014 · d1003a9 · d1003a9
1 parent 662f4be
commit d1003a9
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 7 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -5,7 +5,7 @@ project (yaml C)
 
 set (YAML_VERSION_MAJOR 0)
 set (YAML_VERSION_MINOR 1)
-set (YAML_VERSION_PATCH 4)
+set (YAML_VERSION_PATCH 6)
 set (YAML_VERSION_STRING "${YAML_VERSION_MAJOR}.${YAML_VERSION_MINOR}.${YAML_VERSION_PATCH}")
 
 file (GLOB SRC src/*.c)

diff --git a/configure.ac b/configure.ac
@@ -3,7 +3,7 @@
 # Define the package version numbers and the bug reporting link.
 m4_define([YAML_MAJOR], 0)
 m4_define([YAML_MINOR], 1)
-m4_define([YAML_PATCH], 5)
+m4_define([YAML_PATCH], 6)
 m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 
 # Define the libtool version numbers; check the Autobook, Section 11.4.
@@ -19,7 +19,7 @@ m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 #           YAML_AGE = 0
 m4_define([YAML_RELEASE], 0)
 m4_define([YAML_CURRENT], 2)
-m4_define([YAML_REVISION], 3)
+m4_define([YAML_REVISION], 4)
 m4_define([YAML_AGE], 0)
 
 # Initialize autoconf & automake.

diff --git a/src/scanner.c b/src/scanner.c
@@ -2629,6 +2629,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
         /* Check if it is a URI-escape sequence. */
 
         if (CHECK(parser->buffer, '%')) {
+            if (!STRING_EXTEND(parser, string))
+                goto error;
+
             if (!yaml_parser_scan_uri_escapes(parser,
                         directive, start_mark, &string)) goto error;
         }

diff --git a/src/yaml_private.h b/src/yaml_private.h
@@ -143,9 +143,12 @@ yaml_string_join(
      (string).start = (string).pointer = (string).end = 0)
 
 #define STRING_EXTEND(context,string)                                           \
-    (((string).pointer+5 < (string).end)                                        \
+    ((((string).pointer+5 < (string).end)                                       \
         || yaml_string_extend(&(string).start,                                  \
-            &(string).pointer, &(string).end))
+            &(string).pointer, &(string).end)) ?                                \
+         1 :                                                                    \
+        ((context)->error = YAML_MEMORY_ERROR,                                  \
+         0))
 
 #define CLEAR(context,string)                                                   \
     ((string).pointer = (string).start,                                         \

diff --git a/win32/config.h b/win32/config.h
@@ -1,4 +1,4 @@
 #define YAML_VERSION_MAJOR 0
 #define YAML_VERSION_MINOR 1
-#define YAML_VERSION_PATCH 5
-#define YAML_VERSION_STRING "0.1.5"
+#define YAML_VERSION_PATCH 6
+#define YAML_VERSION_STRING "0.1.6"