meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Fix memory leaks.  Taken from the Fedora packaging (https://src.fedoraproject.org/rpms/yajl)
where it was backported from openEuler.

CVE: CVE-2023-33460
Upstream-Status: Submitted [https://github.com/lloyd/yajl/issues/250]
Signed-off-by: Ross Burton <ross.burton@arm.com>

diff --git a/src/yajl_tree.c b/src/yajl_tree.c
index 3d357a3..56c7012 100644
--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
     ctx->stack = stack->next;
 
     v = stack->value;
-
+    free (stack->key);
     free (stack);
 
     return (v);
@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input,
              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
              YA_FREE(&(handle->alloc), internal_err_str);
         }
+        while(ctx.stack != NULL) {
+             yajl_val v = context_pop(&ctx);
+             yajl_tree_free(v);
+        }
         yajl_free (handle);
+	//If the requested memory is not released in time, it will cause memory leakage
+	if(ctx.root)
+	     yajl_tree_free(ctx.root);
         return NULL;
     }