Commits

Kirill Simonov committed bce8b60

Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan Fratric of the Google Security Team).

Comments (0)

Files changed (5)

 
 set (YAML_VERSION_MAJOR 0)
 set (YAML_VERSION_MINOR 1)
-set (YAML_VERSION_PATCH 4)
+set (YAML_VERSION_PATCH 6)
 set (YAML_VERSION_STRING "${YAML_VERSION_MAJOR}.${YAML_VERSION_MINOR}.${YAML_VERSION_PATCH}")
 
 file (GLOB SRC src/*.c)
 # Define the package version numbers and the bug reporting link.
 m4_define([YAML_MAJOR], 0)
 m4_define([YAML_MINOR], 1)
-m4_define([YAML_PATCH], 5)
+m4_define([YAML_PATCH], 6)
 m4_define([YAML_BUGS], [http://pyyaml.org/newticket?component=libyaml])
 
 # Define the libtool version numbers; check the Autobook, Section 11.4.
 #           YAML_AGE = 0
 m4_define([YAML_RELEASE], 0)
 m4_define([YAML_CURRENT], 2)
-m4_define([YAML_REVISION], 3)
+m4_define([YAML_REVISION], 4)
 m4_define([YAML_AGE], 0)
 
 # Initialize autoconf & automake.
         /* Check if it is a URI-escape sequence. */
 
         if (CHECK(parser->buffer, '%')) {
+            if (!STRING_EXTEND(parser, string))
+                goto error;
+
             if (!yaml_parser_scan_uri_escapes(parser,
                         directive, start_mark, &string)) goto error;
         }

src/yaml_private.h

      (string).start = (string).pointer = (string).end = 0)
 
 #define STRING_EXTEND(context,string)                                           \
-    (((string).pointer+5 < (string).end)                                        \
+    ((((string).pointer+5 < (string).end)                                       \
         || yaml_string_extend(&(string).start,                                  \
-            &(string).pointer, &(string).end))
+            &(string).pointer, &(string).end)) ?                                \
+         1 :                                                                    \
+        ((context)->error = YAML_MEMORY_ERROR,                                  \
+         0))
 
 #define CLEAR(context,string)                                                   \
     ((string).pointer = (string).start,                                         \
 #define YAML_VERSION_MAJOR 0
 #define YAML_VERSION_MINOR 1
-#define YAML_VERSION_PATCH 5
-#define YAML_VERSION_STRING "0.1.5"
+#define YAML_VERSION_PATCH 6
+#define YAML_VERSION_STRING "0.1.6"