1 files changed, 59 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
new file mode 100644
index 000000000..0dc859099
--- /dev/null
+++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,59 @@
+From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH] Fix CVE-2022-24795
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+This patch catches the integer overflow and terminates the process
+with abort().
+CVE: CVE-2022-24795
+Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde..55c11ad 100644
+--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
+    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
+        /* We cannot allocate more memory than SIZE_MAX. */
+        abort();
+    }
+    while (want >= (need - buf->used)) {
+        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
+            /* need would overflow. */
+            abort();
+        }
+        need <<= 1;
+    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
+-- 
+2.34.1

diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch new file mode 100644 index 000000000..0dc859099 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,59 @@
	1	From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
	3	Date: Thu, 7 Apr 2022 17:29:54 +0200
	4	Subject: [PATCH] Fix CVE-2022-24795
	5
	6	There was an integer overflow in yajl_buf_ensure_available() leading
	7	to allocating less memory than requested. Then data were written past
	8	the allocated heap buffer in yajl_buf_append(), the only caller of
	9	yajl_buf_ensure_available(). Another result of the overflow was an
	10	infinite loop without a return from yajl_buf_ensure_available().
	11
	12	yajl-ruby project, which bundles yajl, fixed it
	13	<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
	14	integer overflow, fortifying buffer allocations, and report the
	15	failures to a caller. But then the caller yajl_buf_append() skips
	16	a memory write if yajl_buf_ensure_available() failed leading to a data
	17	corruption.
	18
	19	A yajl fork mainter recommended calling memory allocation callbacks with
	20	the large memory request and let them to handle it. But that has the
	21	problem that it's not possible pass the overely large size to the
	22	callbacks.
	23
	24	This patch catches the integer overflow and terminates the process
	25	with abort().
	26
	27	CVE: CVE-2022-24795
	28	Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239]
	29	Signed-off-by: Ross Burton <ross.burton@arm.com>
	30	---
	31	src/yajl_buf.c \| 12 +++++++++++-
	32	1 file changed, 11 insertions(+), 1 deletion(-)
	33
	34	diff --git a/src/yajl_buf.c b/src/yajl_buf.c
	35	index 1aeafde..55c11ad 100644
	36	--- a/src/yajl_buf.c
	37	+++ b/src/yajl_buf.c
	38	@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
	39
	40	need = buf->len;
	41
	42	- while (want >= (need - buf->used)) need <<= 1;
	43	+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
	44	+ /* We cannot allocate more memory than SIZE_MAX. */
	45	+ abort();
	46	+ }
	47	+ while (want >= (need - buf->used)) {
	48	+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
	49	+ /* need would overflow. */
	50	+ abort();
	51	+ }
	52	+ need <<= 1;
	53	+ }
	54
	55	if (need != buf->len) {
	56	buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
	57	--
	58	2.34.1
	59