diff options
| author | shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2008-06-19 23:12:52 +0000 |
|---|---|---|
| committer | shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2008-06-19 23:12:52 +0000 |
| commit | dc88e0adda313360d976441e58237e4897f9538f (patch) | |
| tree | cc4e6fa1dff263effcfdcdbb4ae6c0ef410faf7f | |
| parent | 63ff1abc033116bc195512ad27c278d0c98db4bc (diff) | |
| parent | 60243650cff2fbf678806bed4b0d57c6209d10cc (diff) | |
add tag v1_8_5_229v1_8_5_229
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/tags/v1_8_5_229@17461 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | ChangeLog | 15 | ||||
| -rw-r--r-- | array.c | 19 | ||||
| -rw-r--r-- | intern.h | 1 | ||||
| -rw-r--r-- | sprintf.c | 11 | ||||
| -rw-r--r-- | string.c | 22 | ||||
| -rw-r--r-- | version.h | 2 |
6 files changed, 49 insertions, 21 deletions
@@ -1,3 +1,18 @@ +Wed Jun 18 22:25:28 2008 URABE Shyouhei <[email protected]> + + * array.c (ary_new, rb_ary_initialize, rb_ary_store, + rb_ary_aplice, rb_ary_times): integer overflows should be + checked. based on patches from Drew Yao <ayao at apple.com> + fixed CVE-2008-2726 + + * string.c (rb_str_buf_append): fixed unsafe use of alloca, + which led memory corruption. based on a patch from Drew Yao + <ayao at apple.com> fixed CVE-2008-2726 + + * sprintf.c (rb_str_format): backported from trunk. + + * intern.h: ditto. + Fri Jun 20 01:40:21 2008 Nobuyoshi Nakada <[email protected]> * array.c (rb_ary_equal, rb_ary_eql, rb_ary_hash, rb_ary_cmp): @@ -20,6 +20,7 @@ VALUE rb_cArray; static ID id_cmp; #define ARY_DEFAULT_SIZE 16 +#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE)) void rb_mem_clear(mem, size) @@ -120,7 +121,7 @@ ary_new(klass, len) if (len < 0) { rb_raise(rb_eArgError, "negative array size (or size too big)"); } - if (len > 0 && len * sizeof(VALUE) <= len) { + if (len > ARY_MAX_SIZE) { rb_raise(rb_eArgError, "array size too big"); } if (len == 0) len++; @@ -293,7 +294,7 @@ rb_ary_initialize(argc, argv, ary) if (len < 0) { rb_raise(rb_eArgError, "negative array size"); } - if (len > 0 && len * (long)sizeof(VALUE) <= len) { + if (len > ARY_MAX_SIZE) { rb_raise(rb_eArgError, "array size too big"); } if (len > RARRAY(ary)->aux.capa) { @@ -358,6 +359,9 @@ rb_ary_store(ary, idx, val) idx - RARRAY(ary)->len); } } + else if (idx >= ARY_MAX_SIZE) { + rb_raise(rb_eIndexError, "index %ld too big", idx); + } rb_ary_modify(ary); if (idx >= RARRAY(ary)->aux.capa) { @@ -366,10 +370,10 @@ rb_ary_store(ary, idx, val) if (new_capa < ARY_DEFAULT_SIZE) { new_capa = ARY_DEFAULT_SIZE; } - new_capa += idx; - if (new_capa * (long)sizeof(VALUE) <= new_capa) { - rb_raise(rb_eArgError, "index too big"); + else if (new_capa >= ARY_MAX_SIZE - idx) { + new_capa = (ARY_MAX_SIZE - idx) / 2; } + new_capa += idx; REALLOC_N(RARRAY(ary)->ptr, VALUE, new_capa); RARRAY(ary)->aux.capa = new_capa; } @@ -968,6 +972,9 @@ rb_ary_splice(ary, beg, len, rpl) if (beg >= RARRAY(ary)->len) { len = beg + rlen; + if (len < 0 || len > ARY_MAX_SIZE) { + rb_raise(rb_eIndexError, "index %ld too big", beg); + } if (len >= RARRAY(ary)->aux.capa) { REALLOC_N(RARRAY(ary)->ptr, VALUE, len); RARRAY(ary)->aux.capa = len; @@ -2370,7 +2377,7 @@ rb_ary_times(ary, times) if (len < 0) { rb_raise(rb_eArgError, "negative argument"); } - if (LONG_MAX/len < RARRAY(ary)->len) { + if (ARY_MAX_SIZE/len < RARRAY(ary)->len) { rb_raise(rb_eArgError, "argument too big"); } len *= RARRAY(ary)->len; @@ -392,6 +392,7 @@ void rb_trap_exec _((void)); const char *ruby_signal_name _((int)); /* sprintf.c */ VALUE rb_f_sprintf _((int, VALUE*)); +VALUE rb_str_format _((int, VALUE*, VALUE)); /* string.c */ VALUE rb_str_new _((const char*, long)); VALUE rb_str_new2 _((const char*)); @@ -247,7 +247,15 @@ rb_f_sprintf(argc, argv) int argc; VALUE *argv; { + return rb_str_format(argc - 1, argv + 1, GETNTHARG(0)); +} + +VALUE +rb_str_format(argc, argv, fmt) + int argc; + VALUE *argv; VALUE fmt; +{ const char *p, *end; char *buf; int blen, bsiz; @@ -276,7 +284,8 @@ rb_f_sprintf(argc, argv) rb_raise(rb_eArgError, "flag after precision"); \ } - fmt = GETNTHARG(0); + ++argc; + --argv; if (OBJ_TAINTED(fmt)) tainted = 1; StringValue(fmt); fmt = rb_str_new4(fmt); @@ -450,22 +450,15 @@ rb_str_times(str, times) */ static VALUE -rb_str_format(str, arg) +rb_str_format_m(str, arg) VALUE str, arg; { - VALUE *argv; + VALUE tmp = rb_check_array_type(arg); - if (TYPE(arg) == T_ARRAY) { - argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1); - argv[0] = str; - MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len); - return rb_f_sprintf(RARRAY(arg)->len+1, argv); + if (!NIL_P(tmp)) { + return rb_str_format(RARRAY(tmp)->len, RARRAY(tmp)->ptr, str); } - - argv = ALLOCA_N(VALUE, 2); - argv[0] = str; - argv[1] = arg; - return rb_f_sprintf(2, argv); + return rb_str_format(1, &arg, str); } static int @@ -777,6 +770,9 @@ rb_str_buf_append(str, str2) capa = RSTRING(str)->aux.capa; } len = RSTRING(str)->len+RSTRING(str2)->len; + if (len < 0 || (capa+1) > LONG_MAX / 2) { + rb_raise(rb_eArgError, "string sizes too big"); + } if (capa <= len) { while (len > capa) { capa = (capa + 1) * 2; @@ -4651,7 +4647,7 @@ Init_String() rb_define_method(rb_cString, "casecmp", rb_str_casecmp, 1); rb_define_method(rb_cString, "+", rb_str_plus, 1); rb_define_method(rb_cString, "*", rb_str_times, 1); - rb_define_method(rb_cString, "%", rb_str_format, 1); + rb_define_method(rb_cString, "%", rb_str_format_m, 1); rb_define_method(rb_cString, "[]", rb_str_aref_m, -1); rb_define_method(rb_cString, "[]=", rb_str_aset_m, -1); rb_define_method(rb_cString, "insert", rb_str_insert, 2); @@ -2,7 +2,7 @@ #define RUBY_RELEASE_DATE "2008-06-20" #define RUBY_VERSION_CODE 185 #define RUBY_RELEASE_CODE 20080620 -#define RUBY_PATCHLEVEL 228 +#define RUBY_PATCHLEVEL 229 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 |