* gnu/packages/patches/yajl-CVE-2023-33460.patch: Add file.
* gnu/local.mk: Record patch.
* gnu/packages/web.scm (yajl)[source]: Record patch.
---
gnu/local.mk | 1 +
.../patches/yajl-CVE-2023-33460.patch | 38 +++++++++++++++++++
gnu/packages/web.scm | 4 +-
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/yajl-CVE-2023-33460.patch
@@ -2439,6 +2439,7 @@ dist_patch_DATA = \
%D%/packages/patches/xterm-370-explicit-xcursor.patch \
%D%/packages/patches/xygrib-fix-finding-data.patch \
%D%/packages/patches/xygrib-newer-proj.patch \
+ %D%/packages/patches/yajl-CVE-2023-33460.patch \
%D%/packages/patches/yggdrasil-extra-config.patch \
%D%/packages/patches/zig-0.9-build-respect-PKG_CONFIG-env-var.patch \
%D%/packages/patches/zig-0.9-fix-runpath.patch \
new file mode 100644
@@ -0,0 +1,38 @@
+Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
+
+Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
+---
+ src/yajl_tree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a32..56c7012f 100644
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+ ctx->stack = stack->next;
+
+ v = stack->value;
+-
++ free (stack->key);
+ free (stack);
+
+ return (v);
+@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input,
+ snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+ YA_FREE(&(handle->alloc), internal_err_str);
+ }
++ while(ctx.stack != NULL) {
++ yajl_val v = context_pop(&ctx);
++ yajl_tree_free(v);
++ }
+ yajl_free (handle);
++ //If the requested memory is not released in time, it will cause memory leakage
++ if(ctx.root)
++ yajl_tree_free(ctx.root);
+ return NULL;
+ }
+
@@ -1746,7 +1746,9 @@ (define-public yajl
(file-name (git-file-name name version))
(sha256
(base32
- "00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml"))))
+ "00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml"))
+ (patches
+ (search-patches "yajl-CVE-2023-33460.patch"))))
(build-system cmake-build-system)
(arguments
'(#:phases