diff --git a/backport-CVE-2022-24795.patch b/backport-CVE-2022-24795.patch new file mode 100644 index 0000000000000000000000000000000000000000..416793b20f3110db283427038074be4271313582 --- /dev/null +++ b/backport-CVE-2022-24795.patch @@ -0,0 +1,58 @@ +From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 7 Apr 2022 17:29:54 +0200 +Subject: [PATCH] Fix CVE-2022-24795 + +There was an integer overflow in yajl_buf_ensure_available() leading +to allocating less memory than requested. Then data were written past +the allocated heap buffer in yajl_buf_append(), the only caller of +yajl_buf_ensure_available(). Another result of the overflow was an +infinite loop without a return from yajl_buf_ensure_available(). + +yajl-ruby project, which bundles yajl, fixed it + by checking for the +integer overflow, fortifying buffer allocations, and report the +failures to a caller. But then the caller yajl_buf_append() skips +a memory write if yajl_buf_ensure_available() failed leading to a data +corruption. + +A yajl fork mainter recommended calling memory allocation callbacks with +the large memory request and let them to handle it. But that has the +problem that it's not possible pass the overely large size to the +callbacks. + +This patch catches the integer overflow and terminates the process +with abort(). + +https://github.com/lloyd/yajl/issues/239 +https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm +--- + src/yajl_buf.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/yajl_buf.c b/src/yajl_buf.c +index 1aeafde..55c11ad 100644 +--- a/src/yajl_buf.c ++++ b/src/yajl_buf.c +@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want) + + need = buf->len; + +- while (want >= (need - buf->used)) need <<= 1; ++ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { ++ /* We cannot allocate more memory than SIZE_MAX. */ ++ abort(); ++ } ++ while (want >= (need - buf->used)) { ++ if (need >= (size_t)((size_t)(-1)<<1)>>1) { ++ /* need would overflow. */ ++ abort(); ++ } ++ need <<= 1; ++ } + + if (need != buf->len) { + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); +-- +2.27.0 + diff --git a/yajl.spec b/yajl.spec index ce3ef079dfb064b601f67d183ccb322c5f3c4338..87cb7eaa8ac8cad94feca58df87525645c933c69 100644 --- a/yajl.spec +++ b/yajl.spec @@ -1,6 +1,6 @@ Name: yajl Version: 2.1.0 -Release: 16 +Release: 17 Summary: Yet Another JSON Library License: ISC URL: http://lloyd.github.com/yajl/ @@ -13,6 +13,7 @@ Patch4: 0004-yajl-2.1.0-dynlink-binaries.patch Patch5: 0005-yajl-2.1.0-fix-memory-leak.patch Patch6: 0006-fix-memory-leak-of-ctx-root.patch Patch7: 0007-add-cmake-option-for-test-and-binary.patch +Patch8: backport-CVE-2022-24795.patch BuildRequires: cmake gcc @@ -69,6 +70,9 @@ cd ../api %{_libdir}/libyajl_s.a %changelog +* Fri Sep 9 2022 panxiaohe - 2.1.0-17 +- fix CVE-2022-24795 + * Wed Jun 8 2022 haozi007 - 2.1.0-16 - add index for patch and add cmake options