The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.
FIX:
/* Resize the string to include the head. */
while ((size_t)(string.end - string.start) <= length) {
if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
parser->error = YAML_MEMORY_ERROR;
goto error;