Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dspinella:zlib-ng-staging
libyajl
libyajl-CVE-2022-24795.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libyajl-CVE-2022-24795.patch of Package libyajl
From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001 From: Jacek Tomasiak <jacek.tomasiak@gmail.com> Date: Thu, 12 May 2022 13:02:47 +0200 Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby) The buffer reallocation could cause heap corruption because of `need` overflow for large inputs. In addition, there's a possible infinite loop in case `need` reaches zero. The fix is to `abort()` if the loop ends with lower value of `need` than when it started. --- src/yajl_buf.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) Index: yajl-2.1.0/src/yajl_buf.c =================================================================== --- yajl-2.1.0.orig/src/yajl_buf.c +++ yajl-2.1.0/src/yajl_buf.c @@ -45,7 +45,15 @@ void yajl_buf_ensure_available(yajl_buf need = buf->len; - while (want >= (need - buf->used)) need <<= 1; + while (need > 0 && want >= (need - buf->used)) { + /* this eventually "overflows" to zero */ + need <<= 1; + } + + /* overflow */ + if (need < buf->len) { + abort(); + } if (need != buf->len) { buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor