From a61b8d5f5b7b000f24223c5d517d8c9c09505153 Mon Sep 17 00:00:00 2001
From: fly_fzc <2385803914@qq.com>
Date: Thu, 25 Apr 2024 10:28:48 +0800
Subject: [PATCH] fix CVE-2024-3205

---
 ...-handling-when-write_indicator-fails.patch | 52 +++++++++++++++++++
 ...-overflow-error-in-yaml-emitter-emit.patch | 32 ------------
 libyaml.spec                                  |  7 ++-
 3 files changed, 57 insertions(+), 34 deletions(-)
 create mode 100644 backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
 delete mode 100644 fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch

diff --git a/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch b/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
new file mode 100644
index 0000000..97b6c40
--- /dev/null
+++ b/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
@@ -0,0 +1,52 @@
+From ff577b94511f9fc314435a1154f1124dccbe57ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
+Date: Mon, 8 Apr 2024 23:32:52 +0200
+Subject: [PATCH] Fix emitter states handling when write_indicator fails
+
+There are cases where yaml_emitter_write_indicator fails.
+In that case POP is called on emitter->indents but not on emitter->states,
+which results in a leftover event in the stack, and later POP is called
+on an empty emitter->indents stack.
+
+This commit does not fix the case of the failing yaml_emitter_write_indicator.
+This is still investigated.
+---
+ src/emitter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/emitter.c b/src/emitter.c
+index 609b28a4..0aca6c34 100644
+--- a/src/emitter.c
++++ b/src/emitter.c
+@@ -759,6 +759,7 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
+     {
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
++        emitter->state = POP(emitter, emitter->states);
+         if (emitter->canonical && !first) {
+             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
+                 return 0;
+@@ -767,7 +768,6 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
+         }
+         if (!yaml_emitter_write_indicator(emitter, "]", 0, 0, 0))
+             return 0;
+-        emitter->state = POP(emitter, emitter->states);
+ 
+         return 1;
+     }
+@@ -808,6 +808,7 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+             return 0;
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
++        emitter->state = POP(emitter, emitter->states);
+         if (emitter->canonical && !first) {
+             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
+                 return 0;
+@@ -816,7 +817,6 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+         }
+         if (!yaml_emitter_write_indicator(emitter, "}", 0, 0, 0))
+             return 0;
+-        emitter->state = POP(emitter, emitter->states);
+ 
+         return 1;
+     }
diff --git a/fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch b/fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch
deleted file mode 100644
index 8d13f7c..0000000
--- a/fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From cbd860b8e62ec0dc85d4d76a9a8900a3db9c740c Mon Sep 17 00:00:00 2001
-From: chenziyang <chenziyang4@huawei.com>
-Date: Tue, 8 Nov 2022 11:15:36 +0800
-Subject: [PATCH] Fix heap buffer overflow error in
- yaml_emitter_emit_flow_sequence_item function
- 
----
- src/emitter.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
- 
-diff --git a/src/emitter.c b/src/emitter.c
-index 609b28a..336bfd1 100644
---- a/src/emitter.c
-+++ b/src/emitter.c
-@@ -758,7 +758,13 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
-     if (event->type == YAML_SEQUENCE_END_EVENT)
-     {
-         emitter->flow_level --;
--        emitter->indent = POP(emitter, emitter->indents);
-+        if (!STACK_EMPTY(emitter, emitter->indents)) {
-+            emitter->indent = POP(emitter, emitter->indents);
-+        }
-+        else {
-+            emitter->indent = 0; // set to default
-+        }
-+
-         if (emitter->canonical && !first) {
-             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
-                 return 0;
--- 
-2.21.0.windows.1
-
diff --git a/libyaml.spec b/libyaml.spec
index 2c125bd..ba99e5c 100644
--- a/libyaml.spec
+++ b/libyaml.spec
@@ -1,13 +1,13 @@
 Name:       libyaml
 Version:    0.2.5
-Release:    4
+Release:    5
 Summary:    A C library for parsing and emitting YAML
 License:    MIT
 URL:        http://pyyaml.org/
 Source0:    http://pyyaml.org/download/libyaml/yaml-%{version}.tar.gz
 
 Patch0:     fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch 
-Patch1:     fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch
+Patch1:     backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
 
 BuildRequires:  gcc
 
@@ -68,6 +68,9 @@ make check
 %doc doc/html
 
 %changelog
+* Thu Apr 25 2024 fuanan <fuanan3@h-partners.com> - 0.2.5-5
+- fix CVE-2024-3205
+
 * Fri Nov 18 2022 chenziyang <chenziyang4@huawei.com> - 0.2.5-4
 - Fix heap buffer overflow in yaml_emitter_emit_flow_sequence_item
 
-- 
Gitee