Patch CVE-2022-24795

The patch uses an abort() to prevent heap memory corruption, but per the
discussion here

  lloyd#240

it seems that's the best option available without a significant rewrite
of the library.

debian/changelog

@@ -2,7 +2,7 @@ yajl (2.1.0-4) UNRELEASED; urgency=medium
 
   * Acknowledge NMU.  Thank you, Tobias, for the work.
     (Closes: #1039984, #1040034)
-  * Patch CVE-2017-16516
+  * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
 
  -- John Stamp <jstamp@users.sourceforge.net>  Sun, 02 Jul 2023 10:40:25 -0700
 

debian/patches/CVE-2022-24795.patch

@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) inputs.
+Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/239
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@
+
+     need = buf->len;
+
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);

debian/patches/series

@@ -1,4 +1,5 @@
 dynamically-link-tools.patch
 multiarch.patch
 CVE-2017-16516.patch
+CVE-2022-24795.patch
 CVE-2023-33460.patch