diff options
Diffstat (limited to 'meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch')
-rw-r--r-- | meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch new file mode 100644 index 000000000..0dc859099 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 17:29:54 +0200 | ||
4 | Subject: [PATCH] Fix CVE-2022-24795 | ||
5 | |||
6 | There was an integer overflow in yajl_buf_ensure_available() leading | ||
7 | to allocating less memory than requested. Then data were written past | ||
8 | the allocated heap buffer in yajl_buf_append(), the only caller of | ||
9 | yajl_buf_ensure_available(). Another result of the overflow was an | ||
10 | infinite loop without a return from yajl_buf_ensure_available(). | ||
11 | |||
12 | yajl-ruby project, which bundles yajl, fixed it | ||
13 | <https://github.com/brianmario/yajl-ruby/pull/211> by checking for the | ||
14 | integer overflow, fortifying buffer allocations, and report the | ||
15 | failures to a caller. But then the caller yajl_buf_append() skips | ||
16 | a memory write if yajl_buf_ensure_available() failed leading to a data | ||
17 | corruption. | ||
18 | |||
19 | A yajl fork mainter recommended calling memory allocation callbacks with | ||
20 | the large memory request and let them to handle it. But that has the | ||
21 | problem that it's not possible pass the overely large size to the | ||
22 | callbacks. | ||
23 | |||
24 | This patch catches the integer overflow and terminates the process | ||
25 | with abort(). | ||
26 | |||
27 | CVE: CVE-2022-24795 | ||
28 | Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239] | ||
29 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
30 | --- | ||
31 | src/yajl_buf.c | 12 +++++++++++- | ||
32 | 1 file changed, 11 insertions(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/src/yajl_buf.c b/src/yajl_buf.c | ||
35 | index 1aeafde..55c11ad 100644 | ||
36 | --- a/src/yajl_buf.c | ||
37 | +++ b/src/yajl_buf.c | ||
38 | @@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want) | ||
39 | |||
40 | need = buf->len; | ||
41 | |||
42 | - while (want >= (need - buf->used)) need <<= 1; | ||
43 | + if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { | ||
44 | + /* We cannot allocate more memory than SIZE_MAX. */ | ||
45 | + abort(); | ||
46 | + } | ||
47 | + while (want >= (need - buf->used)) { | ||
48 | + if (need >= (size_t)((size_t)(-1)<<1)>>1) { | ||
49 | + /* need would overflow. */ | ||
50 | + abort(); | ||
51 | + } | ||
52 | + need <<= 1; | ||
53 | + } | ||
54 | |||
55 | if (need != buf->len) { | ||
56 | buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); | ||
57 | -- | ||
58 | 2.34.1 | ||
59 | |||