merge revision(s) 62992:

pack.c: fix underflow * pack.c (pack_unpack_internal): get rid of underflow. https://hackerone.com/reports/298246 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62997 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2018-03-28 10:37:07 +0000
committer: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2018-03-28 10:37:07 +0000
commit: b9121fe7602a560c4fee9ab353a7f57a3988ec73 (patch)
tree: 86912fe643f32b882ce6c682c965494dd9dba3bc
parent: 634232aab57007bbad5c4bad0147d5c965f01d25 (diff)
4 files changed, 12 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 5ebb68b720..ecac951b51 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Wed Mar 28 19:36:24 2018  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	pack.c: fix underflow
+
+	* pack.c (pack_unpack_internal): get rid of underflow.
+	  https://hackerone.com/reports/298246
+
 Wed Mar 28 19:30:54 2018  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	unixsocket.c: check NUL bytes
diff --git a/pack.c b/pack.c
index e27eeef6cc..1eceee0af6 100644
--- a/pack.c
+++ b/pack.c
@@ -1235,7 +1235,7 @@ pack_unpack(VALUE str, VALUE fmt)
 	else if (ISDIGIT(*p)) {
 	    errno = 0;
 	    len = STRTOUL(p, (char**)&p, 10);
-	    if (errno) {
+	    if (len < 0 || errno) {
 		rb_raise(rb_eRangeError, "pack length too big");
 	    }
 	}
diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb
index b0fd0b7158..b59faec9f3 100644
--- a/test/ruby/test_pack.rb
+++ b/test/ruby/test_pack.rb
@@ -548,6 +548,9 @@ class TestPack < Test::Unit::TestCase
     assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C"))
     assert_equal([nil], "\x00".unpack("@1C")) # is it OK?
     assert_raise(ArgumentError) { "\x00".unpack("@2C") }
+
+    pos = (1 << [nil].pack("p").bytesize * 8) - 100 # -100
+    assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
   end
 
   def test_pack_unpack_percent
diff --git a/version.h b/version.h
index 5e2bcd55e3..9ea4f2cd6c 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.3.7"
 #define RUBY_RELEASE_DATE "2018-03-28"
-#define RUBY_PATCHLEVEL 453
+#define RUBY_PATCHLEVEL 454
 
 #define RUBY_RELEASE_YEAR 2018
 #define RUBY_RELEASE_MONTH 3
author	usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2018-03-28 10:37:07 +0000
committer	usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2018-03-28 10:37:07 +0000
commit	b9121fe7602a560c4fee9ab353a7f57a3988ec73 (patch)
tree	86912fe643f32b882ce6c682c965494dd9dba3bc
parent	634232aab57007bbad5c4bad0147d5c965f01d25 (diff)