diff options
| author | naruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 09:26:06 +0000 |
|---|---|---|
| committer | naruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 09:26:06 +0000 |
| commit | 7357f524beb54ce64c5669afa39e6c68a72cea9b (patch) | |
| tree | ea662c985b989a2081e412e4e7f4b4dbb6805e9e | |
| parent | 8db32a2b89df4687018fb0d7741acd284084e136 (diff) | |
pack.c: fix underflow
* pack.c (pack_unpack_internal): get rid of underflow.
https://hackerone.com/reports/298246
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62975 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | pack.c | 2 | ||||
| -rw-r--r-- | test/ruby/test_pack.rb | 3 |
2 files changed, 4 insertions, 1 deletions
@@ -1127,7 +1127,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode) else if (ISDIGIT(*p)) { errno = 0; len = STRTOUL(p, (char**)&p, 10); - if (errno) { + if (len < 0 || errno) { rb_raise(rb_eRangeError, "pack length too big"); } } diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb index 62a7a54e8d..a872bf33c2 100644 --- a/test/ruby/test_pack.rb +++ b/test/ruby/test_pack.rb @@ -548,6 +548,9 @@ class TestPack < Test::Unit::TestCase assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C")) assert_equal([nil], "\x00".unpack("@1C")) # is it OK? assert_raise(ArgumentError) { "\x00".unpack("@2C") } + + pos = RbConfig::LIMITS["UINTPTR_MAX"] - 99 # -100 + assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")} end def test_pack_unpack_percent |