CBL-Mariner/SPECS/moby-buildx/CVE-2022-28948.patch

From 6d8040e5ae88d74d619980a0115a4eb91e47c405 Mon Sep 17 00:00:00 2001
From: Cameron Baird <cameronbaird@microsoft.com>
Date: Fri, 12 Jul 2024 20:37:35 +0000
Subject: [PATCH 2/3] CVE-2022-28948

Upstream fix: 8f96da9f5d5eff988554c1aae1784627c4bf6754

Explicitly check the parser for errors on peek
It's curious choice from the underlying API to generally return a
positive result on success, but on this case return true in an error
scenario.
---
 vendor/gopkg.in/yaml.v2/decode.go | 5 ++++-
 vendor/gopkg.in/yaml.v3/decode.go | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
index 129bc2a..7473d4b 100644
--- a/vendor/gopkg.in/yaml.v2/decode.go
+++ b/vendor/gopkg.in/yaml.v2/decode.go
@@ -102,7 +102,10 @@ func (p *parser) peek() yaml_event_type_t {
 	if p.event.typ != yaml_NO_EVENT {
 		return p.event.typ
 	}
-	if !yaml_parser_parse(&p.parser, &p.event) {
+	// It's curious choice from the underlying API to generally return a
+	// positive result on success, but on this case return true in an error
+	// scenario. This was the source of bugs in the past (issue #666).
+	if !yaml_parser_parse(&p.parser, &p.event) || p.parser.error != yaml_NO_ERROR {
 		p.fail()
 	}
 	return p.event.typ
diff --git a/vendor/gopkg.in/yaml.v3/decode.go b/vendor/gopkg.in/yaml.v3/decode.go
index df36e3a..f316f51 100644
--- a/vendor/gopkg.in/yaml.v3/decode.go
+++ b/vendor/gopkg.in/yaml.v3/decode.go
@@ -100,7 +100,10 @@ func (p *parser) peek() yaml_event_type_t {
 	if p.event.typ != yaml_NO_EVENT {
 		return p.event.typ
 	}
-	if !yaml_parser_parse(&p.parser, &p.event) {
+	// It's curious choice from the underlying API to generally return a
+	// positive result on success, but on this case return true in an error
+	// scenario. This was the source of bugs in the past (issue #666).
+	if !yaml_parser_parse(&p.parser, &p.event) || p.parser.error != yaml_NO_ERROR {
 		p.fail()
 	}
 	return p.event.typ
-- 
2.34.1