Overview

File yaml-cpp-CVE-2017-5950.patch of Package yaml-cpp

Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp
===================================================================
--- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.cpp
+++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.cpp
@@ -46,6 +46,9 @@ void SingleDocParser::HandleDocument(Eve
 }
 
 void SingleDocParser::HandleNode(EventHandler& eventHandler) {
+  if (depth > depth_limit) {
+    throw ParserException(m_scanner.mark(), ErrorMsg::BAD_FILE);
+  }
   // an empty node *is* a possibility
   if (m_scanner.empty()) {
     eventHandler.OnNull(m_scanner.mark(), NullAnchor);
@@ -57,9 +60,11 @@ void SingleDocParser::HandleNode(EventHa
 
   // special case: a value node by itself must be a map, with no header
   if (m_scanner.peek().type == Token::VALUE) {
+    depth++;
     eventHandler.OnMapStart(mark, "?", NullAnchor, EmitterStyle::Default);
     HandleMap(eventHandler);
     eventHandler.OnMapEnd();
+    depth--;
     return;
   }
 
@@ -94,32 +99,42 @@ void SingleDocParser::HandleNode(EventHa
       m_scanner.pop();
       return;
     case Token::FLOW_SEQ_START:
+      depth++;
       eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Flow);
       HandleSequence(eventHandler);
       eventHandler.OnSequenceEnd();
+      depth--;
       return;
     case Token::BLOCK_SEQ_START:
+      depth++;
       eventHandler.OnSequenceStart(mark, tag, anchor, EmitterStyle::Block);
       HandleSequence(eventHandler);
       eventHandler.OnSequenceEnd();
+      depth--;
       return;
     case Token::FLOW_MAP_START:
+      depth++;
       eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
       HandleMap(eventHandler);
       eventHandler.OnMapEnd();
+      depth--;
       return;
     case Token::BLOCK_MAP_START:
+      depth++;
       eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Block);
       HandleMap(eventHandler);
       eventHandler.OnMapEnd();
+      depth--;
       return;
     case Token::KEY:
       // compact maps can only go in a flow sequence
       if (m_pCollectionStack->GetCurCollectionType() ==
           CollectionType::FlowSeq) {
+        depth++;
         eventHandler.OnMapStart(mark, tag, anchor, EmitterStyle::Flow);
         HandleMap(eventHandler);
         eventHandler.OnMapEnd();
+        depth--;
         return;
       }
       break;
Index: yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h
===================================================================
--- yaml-cpp-yaml-cpp-0.6.1.orig/src/singledocparser.h
+++ yaml-cpp-yaml-cpp-0.6.1/src/singledocparser.h
@@ -51,6 +51,8 @@ class SingleDocParser : private noncopya
   anchor_t LookupAnchor(const Mark& mark, const std::string& name) const;
 
  private:
+  int depth = 0;
+  int depth_limit = 2048;
   Scanner& m_scanner;
   const Directives& m_directives;
   std::unique_ptr<CollectionStack> m_pCollectionStack;
openSUSE Build Service is sponsored by
Places