37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001
|
|
From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
|
|
Date: Thu, 12 May 2022 13:02:47 +0200
|
|
Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby)
|
|
|
|
The buffer reallocation could cause heap corruption because of `need`
|
|
overflow for large inputs. In addition, there's a possible infinite loop
|
|
in case `need` reaches zero.
|
|
|
|
The fix is to `abort()` if the loop ends with lower value of `need` than
|
|
when it started.
|
|
---
|
|
src/yajl_buf.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
Index: yajl-2.1.0/src/yajl_buf.c
|
|
===================================================================
|
|
--- yajl-2.1.0.orig/src/yajl_buf.c
|
|
+++ yajl-2.1.0/src/yajl_buf.c
|
|
@@ -45,7 +45,15 @@ void yajl_buf_ensure_available(yajl_buf
|
|
|
|
need = buf->len;
|
|
|
|
- while (want >= (need - buf->used)) need <<= 1;
|
|
+ while (need > 0 && want >= (need - buf->used)) {
|
|
+ /* this eventually "overflows" to zero */
|
|
+ need <<= 1;
|
|
+ }
|
|
+
|
|
+ /* overflow */
|
|
+ if (need < buf->len) {
|
|
+ abort();
|
|
+ }
|
|
|
|
if (need != buf->len) {
|
|
buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
|