diff options
| author | Kirill Simonov <xi@resolvent.net> | 2014-03-26 07:03:17 -0500 |
|---|---|---|
| committer | Kirill Simonov <xi@resolvent.net> | 2014-03-26 07:03:17 -0500 |
| commit | e649e5f60830e7412a7272b2a6b6e6efec739e56 (patch) | |
| tree | 70dbf2902eb1adb7dc89fa543728125a3b82ab3e | |
| parent | 0577078d6625a7bf06e6bc7fb26a43e27400b17e (diff) | |
| download | libyaml-hg-e649e5f60830e7412a7272b2a6b6e6efec739e56.tar.gz | |
Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan Fratric of the Google Security Team).0.1.6
| -rw-r--r-- | CMakeLists.txt | 2 | ||||
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | src/scanner.c | 3 | ||||
| -rw-r--r-- | src/yaml_private.h | 7 | ||||
| -rw-r--r-- | win32/config.h | 4 |
5 files changed, 13 insertions, 7 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index d30c536..e84c28c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,7 +5,7 @@ project (yaml C) set (YAML_VERSION_MAJOR 0) set (YAML_VERSION_MINOR 1) -set (YAML_VERSION_PATCH 4) +set (YAML_VERSION_PATCH 6) set (YAML_VERSION_STRING "${YAML_VERSION_MAJOR}.${YAML_VERSION_MINOR}.${YAML_VERSION_PATCH}") file (GLOB SRC src/*.c) diff --git a/configure.ac b/configure.ac index e7db798..dd1aca0 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ # Define the package version numbers and the bug reporting link. m4_define([YAML_MAJOR], 0) m4_define([YAML_MINOR], 1) -m4_define([YAML_PATCH], 5) +m4_define([YAML_PATCH], 6) m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml]) # Define the libtool version numbers; check the Autobook, Section 11.4. @@ -19,7 +19,7 @@ m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml]) # YAML_AGE = 0 m4_define([YAML_RELEASE], 0) m4_define([YAML_CURRENT], 2) -m4_define([YAML_REVISION], 3) +m4_define([YAML_REVISION], 4) m4_define([YAML_AGE], 0) # Initialize autoconf & automake. diff --git a/src/scanner.c b/src/scanner.c index 8817de2..88d4fa5 100644 --- a/src/scanner.c +++ b/src/scanner.c @@ -2629,6 +2629,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive, /* Check if it is a URI-escape sequence. */ if (CHECK(parser->buffer, '%')) { + if (!STRING_EXTEND(parser, string)) + goto error; + if (!yaml_parser_scan_uri_escapes(parser, directive, start_mark, &string)) goto error; } diff --git a/src/yaml_private.h b/src/yaml_private.h index 9589e05..f0e1001 100644 --- a/src/yaml_private.h +++ b/src/yaml_private.h @@ -143,9 +143,12 @@ yaml_string_join( (string).start = (string).pointer = (string).end = 0) #define STRING_EXTEND(context,string) \ - (((string).pointer+5 < (string).end) \ + ((((string).pointer+5 < (string).end) \ || yaml_string_extend(&(string).start, \ - &(string).pointer, &(string).end)) + &(string).pointer, &(string).end)) ? \ + 1 : \ + ((context)->error = YAML_MEMORY_ERROR, \ + 0)) #define CLEAR(context,string) \ ((string).pointer = (string).start, \ diff --git a/win32/config.h b/win32/config.h index c551551..2459f49 100644 --- a/win32/config.h +++ b/win32/config.h @@ -1,4 +1,4 @@ #define YAML_VERSION_MAJOR 0 #define YAML_VERSION_MINOR 1 -#define YAML_VERSION_PATCH 5 -#define YAML_VERSION_STRING "0.1.5" +#define YAML_VERSION_PATCH 6 +#define YAML_VERSION_STRING "0.1.6" |