!47 [sync]PR-45:fix CVE-2017-16516

From: @flipped_07_009 
Reviewed-by: @znzjugod 
Signed-off-by: @znzjugod

backport-CVE-2022-24795.patch

@@ -0,0 +1,58 @@
+From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH] Fix CVE-2022-24795
+
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+
+This patch catches the integer overflow and terminates the process
+with abort().
+
+https://github.com/lloyd/yajl/issues/239
+https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde..55c11ad 100644
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
+-- 
+2.27.0
+

backport-Fix-for-CVE-2017-16516.patch

@@ -0,0 +1,43 @@
+From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:36:10 +0100
+Subject: [PATCH 5/8] Fix for CVE-2017-16516
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+
+Patch taken from Debian package source
+
+NB, Fedora code can't trigger the reported aborts since it passes the
+-DNDEBUG flag, but pulling the fix for robustness in case a future
+change enables the assert()s.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/yajl_encode.c b/src/yajl_encode.c
+index fd08258..0d97cc5 100644
+--- a/src/yajl_encode.c
++++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
+                     end+=3;
+                     /* check if this is a surrogate */
+                     if ((codepoint & 0xFC00) == 0xD800) {
+-                        end++;
+-                        if (str[end] == '\\' && str[end + 1] == 'u') {
++                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++                            end++;
+                             unsigned int surrogate = 0;
+                             hexToDigit(&surrogate, str + end + 2);
+                             codepoint =
+-- 
+2.41.0
+

yajl-assert-error-when-memory-allocation-failed.patch

@@ -0,0 +1,109 @@
+From 941bc5f96825e9178b8354cf16b033fb61221021 Mon Sep 17 00:00:00 2001
+From: Ruoshu Gao <gaoruoshu@huawei.com>
+Date: Thu, 8 Sep 2022 19:15:58 +0800
+Subject: [PATCH] yajl: assert error when memory allocation failed
+
+Signed-off-by: Ruoshu Gao <gaoruoshu@huawei.com>
+---
+ src/yajl.c               | 2 ++
+ src/yajl_buf.c           | 3 +++
+ src/yajl_bytestack.h     | 2 ++
+ src/yajl_lex.c           | 1 +
+ test/parsing/yajl_test.c | 1 +
+ 5 files changed, 9 insertions(+)
+
+diff --git a/src/yajl.c b/src/yajl.c
+index d477893..c0f3094 100644
+--- a/src/yajl.c
++++ b/src/yajl.c
+@@ -62,6 +62,7 @@ yajl_alloc(const yajl_callbacks * callbacks,
+     }
+ 
+     hand = (yajl_handle) YA_MALLOC(afs, sizeof(struct yajl_handle_t));
++    if (!hand) abort();
+ 
+     /* copy in pointers to allocation routines */
+     memcpy((void *) &(hand->alloc), (void *) afs, sizeof(yajl_alloc_funcs));
+@@ -145,6 +146,7 @@ yajl_complete_parse(yajl_handle hand)
+         hand->lexer = yajl_lex_alloc(&(hand->alloc),
+                                      hand->flags & yajl_allow_comments,
+                                      !(hand->flags & yajl_dont_validate_strings));
++        if (!hand->lexer) abort();
+     }
+ 
+     return yajl_do_finish(hand);
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde..5556a17 100644
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -40,6 +40,7 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+     if (buf->data == NULL) {
+         buf->len = YAJL_BUF_INIT_SIZE;
+         buf->data = (unsigned char *) YA_MALLOC(buf->alloc, buf->len);
++        if (!buf->data) abort();
+         buf->data[0] = 0;
+     }
+ 
+@@ -49,6 +50,7 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
++        if (!buf->data) abort();
+         buf->len = need;
+     }
+ }
+@@ -56,6 +58,7 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ yajl_buf yajl_buf_alloc(yajl_alloc_funcs * alloc)
+ {
+     yajl_buf b = YA_MALLOC(alloc, sizeof(struct yajl_buf_t));
++    if (!b) abort();
+     memset((void *) b, 0, sizeof(struct yajl_buf_t));
+     b->alloc = alloc;
+     return b;
+diff --git a/src/yajl_bytestack.h b/src/yajl_bytestack.h
+index 9ea7d15..1072081 100644
+--- a/src/yajl_bytestack.h
++++ b/src/yajl_bytestack.h
+@@ -23,6 +23,7 @@
+ #define __YAJL_BYTESTACK_H__
+ 
+ #include "api/yajl_common.h"
++#include <stdlib.h>
+ 
+ #define YAJL_BS_INC 128
+ 
+@@ -56,6 +57,7 @@ typedef struct yajl_bytestack_t
+         (obs).stack = (obs).yaf->realloc((obs).yaf->ctx,\
+                                          (void *) (obs).stack, (obs).size);\
+     }                                                   \
++    if (!(obs).stack) abort();                          \
+     (obs).stack[((obs).used)++] = (byte);               \
+ }
+ 
+diff --git a/src/yajl_lex.c b/src/yajl_lex.c
+index 0b6f7cc..a08e703 100644
+--- a/src/yajl_lex.c
++++ b/src/yajl_lex.c
+@@ -105,6 +105,7 @@ yajl_lex_alloc(yajl_alloc_funcs * alloc,
+                unsigned int allowComments, unsigned int validateUTF8)
+ {
+     yajl_lexer lxr = (yajl_lexer) YA_MALLOC(alloc, sizeof(struct yajl_lexer_t));
++    if (!lxr) abort();
+     memset((void *) lxr, 0, sizeof(struct yajl_lexer_t));
+     lxr->buf = yajl_buf_alloc(alloc);
+     lxr->allowComments = allowComments;
+diff --git a/test/parsing/yajl_test.c b/test/parsing/yajl_test.c
+index c50755b..8d67ed9 100644
+--- a/test/parsing/yajl_test.c
++++ b/test/parsing/yajl_test.c
+@@ -102,6 +102,7 @@ static int test_yajl_map_key(void *ctx, const unsigned char * stringVal,
+                              size_t stringLen)
+ {
+     char * str = (char *) malloc(stringLen + 1);
++    if (!str) abort();
+     str[stringLen] = 0;
+     memcpy(str, stringVal, stringLen);
+     printf("key: '%s'\n", str);
+-- 
+2.33.0
+

yajl.spec

@@ -1,10 +1,10 @@
 Name:           yajl
 Version:        2.1.0
-Release:        16
+Release:        21
 Summary:        Yet Another JSON Library
 License:        ISC
-URL:            http://lloyd.github.com/yajl/
-Source0:        https://github.com/lloyd/yajl/archive/%{version}.tar.gz
+URL:            https://github.com/lloyd/yajl
+Source0:        https://github.com/lloyd/yajl/archive/refs/tags/%{version}.tar.gz
 
 Patch1:         0001-yajl-2.1.0-pkgconfig-location.patch
 Patch2:         0002-yajl-2.1.0-pkgconfig-includedir.patch
@@ -13,6 +13,9 @@ Patch4:         0004-yajl-2.1.0-dynlink-binaries.patch
 Patch5:         0005-yajl-2.1.0-fix-memory-leak.patch
 Patch6:         0006-fix-memory-leak-of-ctx-root.patch
 Patch7:         0007-add-cmake-option-for-test-and-binary.patch
+Patch8:         backport-CVE-2022-24795.patch
+Patch9:         yajl-assert-error-when-memory-allocation-failed.patch
+Patch10:        backport-Fix-for-CVE-2017-16516.patch
 
 BuildRequires:  cmake gcc
 
@@ -69,6 +72,21 @@ cd ../api
 %{_libdir}/libyajl_s.a
 
 %changelog
+* Tue Jan 14 2025 pengjian <pengjian23@mails.ucas.ac.cn> - 2.1.0-21
+- fix CVE-2017-16516
+
+* Wed Nov 16 2022 fuanan <fuanan3@h-partners.com> - 2.1.0-20
+- Modify Source0
+
+* Thu Sep 22 2022 panxiaohe <panxh.life@foxmail.com> - 2.1.0-19
+- modify URL
+
+* Fri Sep 9 2022 panxiaohe <panxh.life@foxmail.com> - 2.1.0-18
+- assert error when memory allocation failed
+
+* Fri Sep 9 2022 panxiaohe <panxh.life@foxmail.com> - 2.1.0-17
+- fix CVE-2022-24795
+
 * Wed Jun 8 2022 haozi007 <liuhao27@h-partners.com> - 2.1.0-16
 - add index for patch and add cmake options