Package: ruby-ox / 2.1.1-2+deb8u1

fix_parse_obj_segfault.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Description: Avoid crash with invalid XML passed to Oj.parse_obj()
 this fixes CVE-2017-15928
Author: Peter Ohler <peter@ohler.com>
Origin: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
Bug: https://github.com/ohler55/ox/issues/194
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
Last-Update: 2017-11-25

--- a/ext/ox/obj_load.c
+++ b/ext/ox/obj_load.c
@@ -791,8 +791,10 @@
 		    Helper	gh;
 
 		    helper_stack_pop(&pi->helpers);
-		    gh = helper_stack_peek(&pi->helpers);
-
+		    if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
+			set_error(&pi->err, "Corrupt parse stack, container is wrong type", pi->str, pi->s);
+			return;
+		    }
 		    rb_hash_aset(gh->obj, ph->obj, h->obj);
 		}
 		break;
--- a/ext/ox/err.c
+++ b/ext/ox/err.c
@@ -42,7 +42,11 @@
     va_end(ap);
 }
 
+#if __GNUC__ > 4
+_Noreturn void
+#else
 void
+#endif
 ox_err_raise(Err e) {
     rb_raise(e->clas, "%s", e->msg);
 }
--- a/ext/ox/ox.c
+++ b/ext/ox/ox.c
@@ -990,7 +990,11 @@
 #endif
 }
 
+#if __GNUC__ > 4
+_Noreturn void
+#else
 void
+#endif
 _ox_raise_error(const char *msg, const char *xml, const char *current, const char* file, int line) {
     int	xline = 1;
     int	col = 1;