File libyajl-CVE-2022-24795.patch of Package rubygem-yajl-ruby.24290

Overview Repositories Revisions Requests Users Attributes Meta

File libyajl-CVE-2022-24795.patch of Package rubygem-yajl-ruby.24290

From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001
From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Date: Thu, 12 May 2022 13:02:47 +0200
Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby)

The buffer reallocation could cause heap corruption because of `need`
overflow for large inputs. In addition, there's a possible infinite loop
in case `need` reaches zero.

The fix is to `abort()` if the loop ends with lower value of `need` than
when it started.
---
 src/yajl_buf.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/yajl_buf.c b/src/yajl_buf.c
index 1aeafde0..637c3a14 100644
--- a/ext/yajl/yajl_buf.c
+++ b/ext/yajl/yajl_buf.c
@@ -45,7 +45,15 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
 
     need = buf->len;
 
-    while (want >= (need - buf->used)) need <<= 1;
+    while (need > 0 && want >= (need - buf->used)) {
+        /* this eventually "overflows" to zero */
+        need <<= 1;
+    }
+
+    /* overflow */
+    if (need < buf->len) {
+        abort();
+    }
 
     if (need != buf->len) {
         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);

Places

File libyajl-CVE-2022-24795.patch of Package rubygem-yajl-ruby.24290

Places