merge revision(s) bcc2bb28b04054106f4a36e8fd69b2af6ecb033a: [Backport #18500]

Fix stack buffer overflow https://hackerone.com/reports/1306859 --- include/ruby/internal/memory.h | 6 +++--- random.c | 7 ++----- 2 files changed, 5 insertions(+), 8 deletions(-)
author: nagachika <[email protected]> 2022-03-12 16:36:40 +0900
committer: nagachika <[email protected]> 2022-03-12 16:36:40 +0900
commit: bac99c5175bf58815846f9987093a6d944d07fd3 (patch)
tree: c24d147333dd518828db4a58ccdb20395945ea65 /random.c
parent: 7c0537906314f0c2a317b37661ccdec8dddc6277 (diff)
1 files changed, 2 insertions, 5 deletions
diff --git a/random.c b/random.c
index 7567d13dd7..4d70c17116 100644
--- a/random.c
+++ b/random.c
@@ -369,15 +369,12 @@ rand_init(const rb_random_interface_t *rng, rb_random_t *rnd, VALUE seed)
     int sign;
 
     len = rb_absint_numwords(seed, 32, NULL);
+    if (len == 0) len = 1;
     buf = ALLOCV_N(uint32_t, buf0, len);
     sign = rb_integer_pack(seed, buf, len, sizeof(uint32_t), 0,
         INTEGER_PACK_LSWORD_FIRST|INTEGER_PACK_NATIVE_BYTE_ORDER);
     if (sign < 0)
         sign = -sign;
-    if (len == 0) {
-        buf[0] = 0;
-        len = 1;
-    }
     if (len > 1) {
         if (sign != 2 && buf[len-1] == 1) /* remove leading-zero-guard */
             len--;
@@ -814,7 +811,7 @@ rand_mt_init(rb_random_t *rnd, const uint32_t *buf, size_t len)
 {
     struct MT *mt = &((rb_random_mt_t *)rnd)->mt;
     if (len <= 1) {
-        init_genrand(mt, buf[0]);
+        init_genrand(mt, len ? buf[0] : 0);
     }
     else {
         init_by_array(mt, buf, (int)len);
author	nagachika <[email protected]>	2022-03-12 16:36:40 +0900
committer	nagachika <[email protected]>	2022-03-12 16:36:40 +0900
commit	bac99c5175bf58815846f9987093a6d944d07fd3 (patch)
tree	c24d147333dd518828db4a58ccdb20395945ea65 /random.c
parent	7c0537906314f0c2a317b37661ccdec8dddc6277 (diff)