CVSS v3.x: 5.9 (Medium)
- >= 1.4.2
The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs.
The reallocation logic at yajl_buf.c#L64
may result in the
need 32bit integer wrapping to 0 when
a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation
of buf->alloc into a small heap chunk.
These integers are declared as
size_t in the 2.x branch of
practically prevents the issue from triggering on 64bit platforms, however
this does not preclude this issue triggering on 32bit builds on which
size_t is a 32bit integer.
Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.
We rate this as a moderate severity vulnerability which mostly impacts process availability as we believe exploitation for arbitrary code execution to be unlikely.
Patched in yajl-ruby 1.4.2
Avoid passing large inputs to YAJL