Sanity check YAML files before parsing

It seems as_node_yaml_process_layer() just spins if you pass it data with an
invalid header. If we can't trust libyaml, try to check the first line and
return an error if it doesn't match what we expect.

Works around https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1591868
although the real bugs lie both in libyaml for spinning forever on invalid
input, *and* whatever project wrote that invalid DEP-11 file.

1 files changed, 15 insertions, 0 deletions

diff --git a/libappstream-glib/as-yaml.c b/libappstream-glib/as-yaml.c
index b1b486d..e0c9c3f 100644
--- a/libappstream-glib/as-yaml.c
+++ b/libappstream-glib/as-yaml.c
@@ -272,6 +272,21 @@ as_yaml_from_data (const gchar *data, gssize data_len, GError **error)
 	AsNode *node = NULL;
 #if AS_BUILD_DEP11
 	yaml_parser_t parser;
+	g_autofree gchar *prefix = NULL;
+
+	/* sanity check */
+	prefix = g_strndup (data, 64);
+	g_strdelimit  (prefix, "\n", '\0');
+	if (!g_str_has_prefix (prefix, "---") &&
+	    !g_str_has_prefix (prefix, "#") &&
+	    !g_str_has_prefix (prefix, "File: ")) {
+		g_set_error (error,
+			     AS_NODE_ERROR,
+			     AS_NODE_ERROR_INVALID_MARKUP,
+			     "YAML prefix invalid: %s expected '---' or '#'",
+			     prefix);
+		return NULL;
+	}
 
 	/* parse */
 	yaml_parser_initialize (&parser);