From 09ee12bb20f037233228ae546dc352b0a669cc23 Mon Sep 17 00:00:00 2001 From: usa Date: Fri, 2 Jul 2010 14:31:26 +0000 Subject: * io.c (argf_inplace_mode_set): prohibits an assignment of a tainted value. * file.c (ruby_find_basename, ruby_find_extname): split from rb_file_s_basename() and rb_file_s_extname(). * util.c (ruby_add_suffix): support arbitrary length of the suffix to get rid of the potential buffer overflow. reported by tarui. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28525 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- util.c | 97 +++++++++++++++++++++++++++++++++++------------------------------- 1 file changed, 52 insertions(+), 45 deletions(-) (limited to 'util.c') diff --git a/util.c b/util.c index 2f67107691..368558607f 100644 --- a/util.c +++ b/util.c @@ -258,77 +258,85 @@ static int valid_filename(const char *s); static const char suffix1[] = ".$$$"; static const char suffix2[] = ".~~~"; -#define ext (&buf[1000]) - #define strEQ(s1,s2) (strcmp(s1,s2) == 0) +extern const char *ruby_find_basename(const char *, long *, long *); +extern const char *ruby_find_extname(const char *, long *); + void ruby_add_suffix(VALUE str, const char *suffix) { int baselen; int extlen = strlen(suffix); - char *s, *t, *p; + char *p, *q; long slen; char buf[1024]; - char *const bufend = buf + sizeof(buf); + const char *name; + const char *ext; + long len; - if (RSTRING_LEN(str) > 1000) - rb_fatal("Cannot do inplace edit on long filename (%ld characters)", - RSTRING_LEN(str)); + name = StringValueCStr(str); + slen = strlen(name); + if (slen > sizeof(buf) - 1) + rb_fatal("Cannot do inplace edit on long filename (%ld characters)", + slen); -#if defined(__CYGWIN32__) || defined(_WIN32) /* Style 0 */ - slen = RSTRING_LEN(str); rb_str_cat(str, suffix, extlen); if (valid_filename(RSTRING_PTR(str))) return; /* Fooey, style 0 failed. Fix str before continuing. */ rb_str_resize(str, slen); -#endif - - slen = extlen; - t = buf; baselen = 0; s = RSTRING_PTR(str); - while ((*t = *s) && *s != '.') { - baselen++; - if (*s == '\\' || *s == '/') baselen = 0; - s++; t++; - } - p = t; - - t = ext; extlen = 0; - while ((*t++ = *s++) != 0) extlen++; - if (extlen == 0) { ext[0] = '.'; ext[1] = 0; extlen++; } + name = StringValueCStr(str); + ext = ruby_find_extname(name, &len); if (*suffix == '.') { /* Style 1 */ - if (strEQ(ext, suffix)) goto fallback; - strlcpy(p, suffix, bufend - p); - } - else if (suffix[1] == '\0') { /* Style 2 */ - if (extlen < 4) { - ext[extlen] = *suffix; - ext[++extlen] = '\0'; - } - else if (baselen < 8) { - *p++ = *suffix; + if (ext) { + if (strEQ(ext, suffix)) goto fallback; + slen = ext - name; } - else if (ext[3] != *suffix) { - ext[3] = *suffix; + rb_str_resize(str, slen); + rb_str_cat(str, suffix, extlen); + } + else { + strncpy(buf, name, slen); + if (ext) + p = buf + (ext - name); + else + p = buf + slen; + p[len] = '\0'; + if (suffix[1] == '\0') { /* Style 2 */ + if (len <= 3) { + p[len] = *suffix; + p[++len] = '\0'; + } + else if ((q = (char *)ruby_find_basename(buf, &baselen, 0)) && + baselen < 8) { + q += baselen; + *q++ = *suffix; + if (ext) { + strncpy(q, ext, ext - name); + q[ext - name + 1] = '\0'; + } + else + *q = '\0'; + } + else if (len == 4 && p[3] != *suffix) + p[3] = *suffix; + else if (baselen == 8 && q[7] != *suffix) + q[7] = *suffix; + else + goto fallback; } - else if (buf[7] != *suffix) { - buf[7] = *suffix; + else { /* Style 3: Panic */ + fallback: + (void)memcpy(p, !ext || strEQ(ext, suffix1) ? suffix2 : suffix1, 5); } - else goto fallback; - strlcpy(p, ext, bufend - p); - } - else { /* Style 3: Panic */ -fallback: - (void)memcpy(p, strEQ(ext, suffix1) ? suffix2 : suffix1, 5); } rb_str_resize(str, strlen(buf)); memcpy(RSTRING_PTR(str), buf, RSTRING_LEN(str)); } -#if defined(__CYGWIN32__) || defined(_WIN32) static int valid_filename(const char *s) { @@ -350,7 +358,6 @@ valid_filename(const char *s) return 0; } #endif -#endif /* mm.c */ -- cgit v1.2.3