e6cccc0 Apply patch for CVE-2013-6393 [1] to fix heap-based buffer overflow when parsing YAML tags. — HardenedBSD-pkg

rad:z3QDZAW2FAfuLvihrhiyDC9fAD8G9

HardenedBSD Package Manager

Apply patch for CVE-2013-6393 [1] to fix heap-based buffer overflow when parsing YAML tags.

Bryan Drewery committed 12 years ago

commit e6cccc085724a03f49f1fc8e5edcf55e0c402156
parent f9f769c

1 file changed +55 -8

modified external/libyaml/src/scanner.c

@@ -615,11 +615,14 @@ yaml_parser_decrease_flow_level(yaml_parser_t *parser);

  */
 static int
 yaml_parser_roll_indent(yaml_parser_t *parser, int column,
 yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
         int number, yaml_token_type_t type, yaml_mark_t mark);
 static int
 yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
 yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
 static int
 yaml_parser_reset_indent(yaml_parser_t *parser);
 /*
  * Token fetchers.

@@ -1206,7 +1209,7 @@ yaml_parser_decrease_flow_level(yaml_parser_t *parser)

  */
 static int
 yaml_parser_roll_indent(yaml_parser_t *parser, int column,
 yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
         int number, yaml_token_type_t type, yaml_mark_t mark)
 {
     yaml_token_t token;

@@ -1216,7 +1219,7 @@ yaml_parser_roll_indent(yaml_parser_t *parser, int column,

     if (parser->flow_level)
         return 1;
     if (parser->indent < column)
     if (parser->indent == -1 || parser->indent < column)
     {
         /*
          * Push the current indentation level to the stack and set the new

@@ -1254,7 +1257,7 @@ yaml_parser_roll_indent(yaml_parser_t *parser, int column,

 static int
 yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
 yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
 {
     yaml_token_t token;

@@ -1263,6 +1266,15 @@ yaml_parser_unroll_indent(yaml_parser_t *parser, int column)

     if (parser->flow_level)
         return 1;
     /*
      * column is unsigned and parser->indent is signed, so if
      * parser->indent is less than zero the conditional in the while
      * loop below is incorrect.  Guard against that.
      */
     if (parser->indent < 0)
         return 1;
     /* Loop through the intendation levels in the stack. */
     while (parser->indent > column)

@@ -1283,6 +1295,41 @@ yaml_parser_unroll_indent(yaml_parser_t *parser, int column)

 }
 /*
  * Pop indentation levels from the indents stack until the current
  * level resets to -1.  For each intendation level, append the
  * BLOCK-END token.
  */
 static int
 yaml_parser_reset_indent(yaml_parser_t *parser)
 {
     yaml_token_t token;
     /* In the flow context, do nothing. */
     if (parser->flow_level)
         return 1;
     /* Loop through the intendation levels in the stack. */
     while (parser->indent > -1)
     {
         /* Create a token and append it to the queue. */
         TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
         if (!ENQUEUE(parser, parser->tokens, token))
             return 0;
         /* Pop the indentation level. */
         parser->indent = POP(parser, parser->indents);
     }
     return 1;
 }
 /*
  * Initialize the scanner and produce the STREAM-START token.
  */

@@ -1338,7 +1385,7 @@ yaml_parser_fetch_stream_end(yaml_parser_t *parser)

     /* Reset the indentation level. */
     if (!yaml_parser_unroll_indent(parser, -1))
     if (!yaml_parser_reset_indent(parser))
         return 0;
     /* Reset simple keys. */

@@ -1369,7 +1416,7 @@ yaml_parser_fetch_directive(yaml_parser_t *parser)

     /* Reset the indentation level. */
     if (!yaml_parser_unroll_indent(parser, -1))
     if (!yaml_parser_reset_indent(parser))
         return 0;
     /* Reset simple keys. */

@@ -1407,7 +1454,7 @@ yaml_parser_fetch_document_indicator(yaml_parser_t *parser,

     /* Reset the indentation level. */
     if (!yaml_parser_unroll_indent(parser, -1))
     if (!yaml_parser_reset_indent(parser))
         return 0;
     /* Reset simple keys. */