diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 21:03:06 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 21:03:06 +0100 |
| commit | 8376ef56580626e9c0f796d5b85b53a0a1c7d5f5 (patch) | |
| tree | 7681bbd4e8b05407772df40a4bf04cbbc8afc3fa /dev-cpp/yaml-cpp/files/yaml-cpp-0.6.2-CVE-2017-5950.patch | |
| parent | 30a9caf154332f12ca60756e1b75d2f0e3e1822d (diff) | |
gentoo resync : 14.07.2018
Diffstat (limited to 'dev-cpp/yaml-cpp/files/yaml-cpp-0.6.2-CVE-2017-5950.patch')
| -rw-r--r-- | dev-cpp/yaml-cpp/files/yaml-cpp-0.6.2-CVE-2017-5950.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.2-CVE-2017-5950.patch b/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.2-CVE-2017-5950.patch new file mode 100644 index 000000000000..2892108bd250 --- /dev/null +++ b/dev-cpp/yaml-cpp/files/yaml-cpp-0.6.2-CVE-2017-5950.patch @@ -0,0 +1,45 @@ +From d540476e31b080aa1f903ad20ec0426dd3838be7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org> +Date: Tue, 25 Apr 2017 20:10:20 -0400 +Subject: [PATCH] fix stack overflow in HandleNode() (CVE-2017-5950) + +simply set a hardcoded recursion limit to 2000 (inspired by Python's) +to avoid infinitely recursing into arbitrary data structures + +assert() the depth. unsure if this is the right approach, but given +that HandleNode() is "void", I am not sure how else to return an +error. the problem with this approach of course is that it will still +crash the caller, unless they have proper exception handling in place. + +Closes: #459 +--- + src/singledocparser.cpp | 2 ++ + src/singledocparser.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/src/singledocparser.cpp b/src/singledocparser.cpp +index a27c1c3b..1b4262ee 100644 +--- a/src/singledocparser.cpp ++++ b/src/singledocparser.cpp +@@ -46,6 +46,8 @@ void SingleDocParser::HandleDocument(EventHandler& eventHandler) { + } + + void SingleDocParser::HandleNode(EventHandler& eventHandler) { ++ assert(depth < depth_limit); ++ depth++; + // an empty node *is* a possibility + if (m_scanner.empty()) { + eventHandler.OnNull(m_scanner.mark(), NullAnchor); +diff --git a/src/singledocparser.h b/src/singledocparser.h +index 2b92067c..7046f1e2 100644 +--- a/src/singledocparser.h ++++ b/src/singledocparser.h +@@ -51,6 +51,8 @@ class SingleDocParser : private noncopyable { + anchor_t LookupAnchor(const Mark& mark, const std::string& name) const; + + private: ++ int depth = 0; ++ int depth_limit = 2000; + Scanner& m_scanner; + const Directives& m_directives; + std::unique_ptr<CollectionStack> m_pCollectionStack; |