1 files changed, 36 insertions, 0 deletions

diff --git a/libyajl-CVE-2022-24795.patch b/libyajl-CVE-2022-24795.patch
new file mode 100644
index 0000000..3fb9177
--- /dev/null
+++ b/libyajl-CVE-2022-24795.patch
@@ -0,0 +1,36 @@
+From d3a528c788ba9e531fab91db41d3a833c54da325 Mon Sep 17 00:00:00 2001
+From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
+Date: Thu, 12 May 2022 13:02:47 +0200
+Subject: [PATCH] Fix CVE-2022-24795 (from brianmario/yajl-ruby)
+
+The buffer reallocation could cause heap corruption because of `need`
+overflow for large inputs. In addition, there's a possible infinite loop
+in case `need` reaches zero.
+
+The fix is to `abort()` if the loop ends with lower value of `need` than
+when it started.
+---
+ src/yajl_buf.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Index: yajl-2.1.0/src/yajl_buf.c
+===================================================================
+--- yajl-2.1.0.orig/src/yajl_buf.c
++++ yajl-2.1.0/src/yajl_buf.c
+@@ -45,7 +45,15 @@ void yajl_buf_ensure_available(yajl_buf
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    while (need > 0 && want >= (need - buf->used)) {
++        /* this eventually "overflows" to zero */
++        need <<= 1;
++    }
++
++    /* overflow */
++    if (need < buf->len) {
++        abort();
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);