diff options
| author | Kirill Simonov <xi@resolvent.net> | 2014-02-02 20:53:10 -0600 |
|---|---|---|
| committer | Kirill Simonov <xi@resolvent.net> | 2014-02-02 20:53:10 -0600 |
| commit | b50ad87aa140b210d24f4c9f9eee38c439451b11 (patch) | |
| tree | 5b7899b1cbbdc60710682ef1c8c2dfc06eb96032 | |
| parent | a7c9828ed588450b7147e5604dc5d42f22d6fd5e (diff) | |
| download | libyaml-hg-b50ad87aa140b210d24f4c9f9eee38c439451b11.tar.gz | |
Prevent node index overflow (Reported by Florian Weimer).
| -rw-r--r-- | src/loader.c | 12 | ||||
| -rw-r--r-- | src/yaml_private.h | 6 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/loader.c b/src/loader.c index 9d3d912..871149a 100644 --- a/src/loader.c +++ b/src/loader.c @@ -286,6 +286,8 @@ yaml_parser_load_scalar(yaml_parser_t *parser, yaml_event_t *first_event) int index; yaml_char_t *tag = first_event->data.scalar.tag; + if (!STACK_LIMIT(parser, parser->document->nodes, INT_MAX-1)) goto error; + if (!tag || strcmp((char *)tag, "!") == 0) { yaml_free(tag); tag = yaml_strdup((yaml_char_t *)YAML_DEFAULT_SCALAR_TAG); @@ -329,6 +331,8 @@ yaml_parser_load_sequence(yaml_parser_t *parser, yaml_event_t *first_event) int index, item_index; yaml_char_t *tag = first_event->data.sequence_start.tag; + if (!STACK_LIMIT(parser, parser->document->nodes, INT_MAX-1)) goto error; + if (!tag || strcmp((char *)tag, "!") == 0) { yaml_free(tag); tag = yaml_strdup((yaml_char_t *)YAML_DEFAULT_SEQUENCE_TAG); @@ -351,6 +355,9 @@ yaml_parser_load_sequence(yaml_parser_t *parser, yaml_event_t *first_event) if (!yaml_parser_parse(parser, &event)) return 0; while (event.type != YAML_SEQUENCE_END_EVENT) { + if (!STACK_LIMIT(parser, + parser->document->nodes.start[index-1].data.sequence.items, + INT_MAX-1)) return 0; item_index = yaml_parser_load_node(parser, &event); if (!item_index) return 0; if (!PUSH(parser, @@ -387,6 +394,8 @@ yaml_parser_load_mapping(yaml_parser_t *parser, yaml_event_t *first_event) yaml_node_pair_t pair; yaml_char_t *tag = first_event->data.mapping_start.tag; + if (!STACK_LIMIT(parser, parser->document->nodes, INT_MAX-1)) goto error; + if (!tag || strcmp((char *)tag, "!") == 0) { yaml_free(tag); tag = yaml_strdup((yaml_char_t *)YAML_DEFAULT_MAPPING_TAG); @@ -409,6 +418,9 @@ yaml_parser_load_mapping(yaml_parser_t *parser, yaml_event_t *first_event) if (!yaml_parser_parse(parser, &event)) return 0; while (event.type != YAML_MAPPING_END_EVENT) { + if (!STACK_LIMIT(parser, + parser->document->nodes.start[index-1].data.mapping.pairs, + INT_MAX-1)) return 0; pair.key = yaml_parser_load_node(parser, &event); if (!pair.key) return 0; if (!yaml_parser_parse(parser, &event)) return 0; diff --git a/src/yaml_private.h b/src/yaml_private.h index ed5ea66..f835d3d 100644 --- a/src/yaml_private.h +++ b/src/yaml_private.h @@ -421,6 +421,12 @@ yaml_queue_extend(void **start, void **head, void **tail, void **end); #define STACK_EMPTY(context,stack) \ ((stack).start == (stack).top) +#define STACK_LIMIT(context,stack,size) \ + ((stack).top - (stack).start < (size) ? \ + 1 : \ + ((context)->error = YAML_MEMORY_ERROR, \ + 0)) + #define PUSH(context,stack,value) \ (((stack).top != (stack).end \ || yaml_stack_extend((void **)&(stack).start, \ |