$OpenBSD: patch-src_scanner_c,v 1.1 2014/01/31 14:05:26 jasper Exp $

Security fix for CVE-2013-6393 and additional fixes from RedHat
https://bugzilla.redhat.com/show_bug.cgi?id=1033990

--- src/scanner.c.orig	Fri Jan 31 13:53:01 2014
+++ src/scanner.c	Fri Jan 31 13:52:57 2014
@@ -615,12 +615,15 @@ yaml_parser_decrease_flow_level(yaml_parser_t *parser)
  */
 
 static int
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
         int number, yaml_token_type_t type, yaml_mark_t mark);
 
 static int
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
 
+static int
+yaml_parser_reset_indent(yaml_parser_t *parser);
+
 /*
  * Token fetchers.
  */
@@ -1206,7 +1209,7 @@ yaml_parser_decrease_flow_level(yaml_parser_t *parser)
  */
 
 static int
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
         int number, yaml_token_type_t type, yaml_mark_t mark)
 {
     yaml_token_t token;
@@ -1216,7 +1219,7 @@ yaml_parser_roll_indent(yaml_parser_t *parser, int col
     if (parser->flow_level)
         return 1;
 
-    if (parser->indent < column)
+    if (parser->indent == -1 || parser->indent < column)
     {
         /*
          * Push the current indentation level to the stack and set the new
@@ -1254,7 +1257,7 @@ yaml_parser_roll_indent(yaml_parser_t *parser, int col
 
 
 static int
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
 {
     yaml_token_t token;
 
@@ -1263,6 +1266,15 @@ yaml_parser_unroll_indent(yaml_parser_t *parser, int c
     if (parser->flow_level)
         return 1;
 
+    /*
+     * column is unsigned and parser->indent is signed, so if
+     * parser->indent is less than zero the conditional in the while
+     * loop below is incorrect.  Guard against that.
+     */
+    
+    if (parser->indent < 0)
+        return 1;
+
     /* Loop through the intendation levels in the stack. */
 
     while (parser->indent > column)
@@ -1283,6 +1295,41 @@ yaml_parser_unroll_indent(yaml_parser_t *parser, int c
 }
 
 /*
+ * Pop indentation levels from the indents stack until the current
+ * level resets to -1.  For each intendation level, append the
+ * BLOCK-END token.
+ */
+
+static int
+yaml_parser_reset_indent(yaml_parser_t *parser)
+{
+    yaml_token_t token;
+
+    /* In the flow context, do nothing. */
+
+    if (parser->flow_level)
+        return 1;
+
+    /* Loop through the intendation levels in the stack. */
+
+    while (parser->indent > -1)
+    {
+        /* Create a token and append it to the queue. */
+
+        TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
+
+        if (!ENQUEUE(parser, parser->tokens, token))
+            return 0;
+
+        /* Pop the indentation level. */
+
+        parser->indent = POP(parser, parser->indents);
+    }
+
+    return 1;
+}
+
+/*
  * Initialize the scanner and produce the STREAM-START token.
  */
 
@@ -1338,7 +1385,7 @@ yaml_parser_fetch_stream_end(yaml_parser_t *parser)
 
     /* Reset the indentation level. */
 
-    if (!yaml_parser_unroll_indent(parser, -1))
+    if (!yaml_parser_reset_indent(parser))
         return 0;
 
     /* Reset simple keys. */
@@ -1369,7 +1416,7 @@ yaml_parser_fetch_directive(yaml_parser_t *parser)
 
     /* Reset the indentation level. */
 
-    if (!yaml_parser_unroll_indent(parser, -1))
+    if (!yaml_parser_reset_indent(parser))
         return 0;
 
     /* Reset simple keys. */
@@ -1407,7 +1454,7 @@ yaml_parser_fetch_document_indicator(yaml_parser_t *pa
 
     /* Reset the indentation level. */
 
-    if (!yaml_parser_unroll_indent(parser, -1))
+    if (!yaml_parser_reset_indent(parser))
         return 0;
 
     /* Reset simple keys. */
@@ -2574,7 +2621,7 @@ yaml_parser_scan_tag_uri(yaml_parser_t *parser, int di
 
     /* Resize the string to include the head. */
 
-    while (string.end - string.start <= (int)length) {
+    while ((size_t)(string.end - string.start) <= length) {
         if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
             parser->error = YAML_MEMORY_ERROR;
             goto error;
