From d1003a9d40b674520934f4f38ffc4ff2a809bc2d Mon Sep 17 00:00:00 2001
From: Kirill Simonov <xi@resolvent.net>
Date: Wed, 26 Mar 2014 07:03:17 -0500
Subject: Fixed heap overflow in yaml_parser_scan_uri_escapes (Thanks Ivan
 Fratric of the Google Security Team).

---
 src/scanner.c      | 3 +++
 src/yaml_private.h | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/scanner.c b/src/scanner.c
index 8817de2..88d4fa5 100644
--- a/src/scanner.c
+++ b/src/scanner.c
@@ -2629,6 +2629,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int directive,
         /* Check if it is a URI-escape sequence. */
 
         if (CHECK(parser->buffer, '%')) {
+            if (!STRING_EXTEND(parser, string))
+                goto error;
+
             if (!yaml_parser_scan_uri_escapes(parser,
                         directive, start_mark, &string)) goto error;
         }
diff --git a/src/yaml_private.h b/src/yaml_private.h
index 9589e05..f0e1001 100644
--- a/src/yaml_private.h
+++ b/src/yaml_private.h
@@ -143,9 +143,12 @@ yaml_string_join(
      (string).start = (string).pointer = (string).end = 0)
 
 #define STRING_EXTEND(context,string)                                           \
-    (((string).pointer+5 < (string).end)                                        \
+    ((((string).pointer+5 < (string).end)                                       \
         || yaml_string_extend(&(string).start,                                  \
-            &(string).pointer, &(string).end))
+            &(string).pointer, &(string).end)) ?                                \
+         1 :                                                                    \
+        ((context)->error = YAML_MEMORY_ERROR,                                  \
+         0))
 
 #define CLEAR(context,string)                                                   \
     ((string).pointer = (string).start,                                         \
-- 
cgit v1.2.1