packages/yajl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!18 fix CVE-2022-24795

Browse Source 
From: @panxh_purple 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1
This commit is contained in:
openeuler-ci-bot 2022-09-09 07:25:22 +00:00 committed by Gitee
commit 4a94f3fc12
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
backport-CVE-2022-24795.patch Normal file
View File

@ -0,0 +1,58 @@
From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 7 Apr 2022 17:29:54 +0200
Subject: [PATCH] Fix CVE-2022-24795
There was an integer overflow in yajl_buf_ensure_available() leading
to allocating less memory than requested. Then data were written past
the allocated heap buffer in yajl_buf_append(), the only caller of
yajl_buf_ensure_available(). Another result of the overflow was an
infinite loop without a return from yajl_buf_ensure_available().
yajl-ruby project, which bundles yajl, fixed it
<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
integer overflow, fortifying buffer allocations, and report the
failures to a caller. But then the caller yajl_buf_append() skips
a memory write if yajl_buf_ensure_available() failed leading to a data
corruption.
A yajl fork mainter recommended calling memory allocation callbacks with
the large memory request and let them to handle it. But that has the
problem that it's not possible pass the overely large size to the
callbacks.
This patch catches the integer overflow and terminates the process
with abort().
https://github.com/lloyd/yajl/issues/239
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
---
src/yajl_buf.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/yajl_buf.c b/src/yajl_buf.c
index 1aeafde..55c11ad 100644
--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
need = buf->len;
- while (want >= (need - buf->used)) need <<= 1;
+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
+ /* We cannot allocate more memory than SIZE_MAX. */
+ abort();
+ }
+ while (want >= (need - buf->used)) {
+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
+ /* need would overflow. */
+ abort();
+ }
+ need <<= 1;
+ }
if (need != buf->len) {
buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
--
2.27.0

6
yajl.spec
View File

@ -1,6 +1,6 @@
Name: yajl Name: yajl
Version: 2.1.0 Version: 2.1.0
Release: 16 Release: 17
Summary: Yet Another JSON Library Summary: Yet Another JSON Library
License: ISC License: ISC
URL: http://lloyd.github.com/yajl/ URL: http://lloyd.github.com/yajl/
@ -13,6 +13,7 @@ Patch4: 0004-yajl-2.1.0-dynlink-binaries.patch
Patch5: 0005-yajl-2.1.0-fix-memory-leak.patch Patch5: 0005-yajl-2.1.0-fix-memory-leak.patch
Patch6: 0006-fix-memory-leak-of-ctx-root.patch Patch6: 0006-fix-memory-leak-of-ctx-root.patch
Patch7: 0007-add-cmake-option-for-test-and-binary.patch Patch7: 0007-add-cmake-option-for-test-and-binary.patch
Patch8: backport-CVE-2022-24795.patch
BuildRequires: cmake gcc BuildRequires: cmake gcc
@ -69,6 +70,9 @@ cd ../api
%{_libdir}/libyajl_s.a %{_libdir}/libyajl_s.a
%changelog %changelog
* Fri Sep 9 2022 panxiaohe <panxh.life@foxmail.com> - 2.1.0-17
- fix CVE-2022-24795
* Wed Jun 8 2022 haozi007 <liuhao27@h-partners.com> - 2.1.0-16 * Wed Jun 8 2022 haozi007 <liuhao27@h-partners.com> - 2.1.0-16
- add index for patch and add cmake options - add index for patch and add cmake options