merge revision(s) 55410: [Backport #12488]

* ext/date/date_strftime.c (date_strftime_with_tmx): reject too large precision to get rid of buffer overflow. reported by Guido Vranken <guido AT guidovranken.nl>. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55910 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-08-15 19:47:39 +0000
committer: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2016-08-15 19:47:39 +0000
commit: 38e722f741c628bd6dbfbd74c8e191beeb460203 (patch)
tree: 4b1ce3612ce599e6f6ee310b1302515246e08ffd
parent: 12b6cd61c0740af71f12c4e1a247ee502e8e78dd (diff)
4 files changed, 22 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 1ccda8d6ed..c5bf73868b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Tue Aug 16 04:38:48 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* ext/date/date_strftime.c (date_strftime_with_tmx): reject too
+	  large precision to get rid of buffer overflow.
+	  reported by Guido Vranken <guido AT guidovranken.nl>.
+
 Tue Aug 16 04:28:22 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* file.c (append_fspath): normalize directory name to be appended
diff --git a/ext/date/date_strftime.c b/ext/date/date_strftime.c
index 20931a3124..9d8167b612 100644
--- a/ext/date/date_strftime.c
+++ b/ext/date/date_strftime.c
@@ -48,7 +48,7 @@ downcase(char *s, size_t i)
 /* strftime --- produce formatted time */
 
 static size_t
-date_strftime_with_tmx(char *s, size_t maxsize, const char *format,
+date_strftime_with_tmx(char *s, const size_t maxsize, const char *format,
 		       const struct tmx *tmx)
 {
     char *endp = s + maxsize;
@@ -575,7 +575,12 @@ date_strftime_with_tmx(char *s, size_t maxsize, const char *format,
 	  case '5': case '6':  case '7': case '8': case '9':
 	    {
 		char *e;
-		precision = (int)strtoul(format, &e, 10);
+		unsigned long prec = strtoul(format, &e, 10);
+		if (prec > INT_MAX || prec > maxsize) {
+		    errno = ERANGE;
+		    return 0;
+		}
+		precision = (int)prec;
 		format = e - 1;
 		goto again;
 	    }
diff --git a/test/date/test_date_strftime.rb b/test/date/test_date_strftime.rb
index 7472a4323d..1c0f9b11b4 100644
--- a/test/date/test_date_strftime.rb
+++ b/test/date/test_date_strftime.rb
@@ -420,4 +420,12 @@ class TestDateStrftime < Test::Unit::TestCase
 
   end
 
+  def test_overflow
+    assert_raise(ArgumentError, Errno::ERANGE) {
+      Date.new(2000,1,1).strftime("%2147483647c")
+    }
+    assert_raise(ArgumentError, Errno::ERANGE) {
+      DateTime.new(2000,1,1).strftime("%2147483647c")
+    }
+  end
 end
diff --git a/version.h b/version.h
index 7f8eca36ba..24f5b28037 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.3.2"
 #define RUBY_RELEASE_DATE "2016-08-16"
-#define RUBY_PATCHLEVEL 160
+#define RUBY_PATCHLEVEL 161
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 8
author	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-08-15 19:47:39 +0000
committer	nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2016-08-15 19:47:39 +0000
commit	38e722f741c628bd6dbfbd74c8e191beeb460203 (patch)
tree	4b1ce3612ce599e6f6ee310b1302515246e08ffd
parent	12b6cd61c0740af71f12c4e1a247ee502e8e78dd (diff)