This patch adds a new macro STACK_NULL to check if given stack was initialized, in order to fix yaml#298, which is CVE-2024-35329.
The root cause is stack(document->nodes) was used before initialized, so check stack before push.
According to the poc in [1], building it with
gcc poc.c -o poc -lyaml -fsanitize=address
Before this patch, the output is:
[root@test yaml-0.2.5]# ./poc
heap-buffer-overflow on libyaml/src/api.c:1274:10
================================================================= ==3867981==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f571f6af1a7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1a7)
#1 0x7f5720127ac9 in yaml_document_add_sequence /root/libxml/yaml-0.2.5/src/api.c:1271
Direct leak of 22 byte(s) in 1 object(s) allocated from:
#0 0x7f571f659707 in strdup (/usr/lib64/libasan.so.6+0x59707)
#1 0x7f5720127ab7 in yaml_document_add_sequence /root/libxml/yaml-0.2.5/src/api.c:1268
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x7f571f6af1a7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1a7)
#1 0x7f5720125762 in yaml_stack_extend /root/libxml/yaml-0.2.5/src/api.c:126
SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).
After this patch, there are no memory leaks warnnings.
This patch adds a new macro STACK_NULL to check if given stack was initialized, in order to fix yaml#298, which is CVE-2024-35329.
The root cause is stack(document->nodes) was used before initialized, so check stack before push.
According to the poc in [1], building it with
gcc poc.c -o poc -lyaml -fsanitize=addressBefore this patch, the output is:
After this patch, there are no memory leaks warnnings.
[1] https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing
edit @perlpunk: add code markers