CVE-2022-24795

[anticomputer]

Hello, I am a member of the GitHub Security team and am seeking a maintainer contact for this project with regards to https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm

We were unable to establish contact with a maintainer for this project during the coordinated disclosure process for CVE-2022-24795. If this project is still actively maintained, we'd like to offer our assistance in getting this issue resolved in your library. If it is no longer actively maintained, we recommend archiving this repository.

[robohack]

I'm actively maintaining a derived version at https://github.com/robohack/yajl/ (on the default branch "bsdmake").

I'm not sure what this could mean for lloyd/yajl, except to say that I would not be opposed to archiving it.

(as lloyd/yajl, and thus so far my own variant, do not directly do their own memory allocation error checking, I think the simple quick hack is to add a basic assert(), and a safer fix would be a direct call to abort(); though also allowing greater than 2^31 byte buffers on 32-bit platforms through use of a non-exponential size increment might be appropriate)

[anticomputer]

👋 @robohack you can find our patches for the 1.x branch included with yajl-ruby here

[robohack]

Actually I take that suggestion for calling abort() back. (The assert() is still useful of course, but can't be expected to be enabled in all circumstances.)

The best general solution is to recommend that a user-supplied realloc call do whatever error handling it would do for a realloc() failure whenever an allocation of zero bytes is requested.