diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-03-12 22:01:32 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-03-12 22:01:32 +0000 |
| commit | b828c95bcac62b96adb64b602fa51cbd1c00b342 (patch) | |
| tree | 9a959655f0cba92535326e53aa907758bfbbfc2d | |
| parent | 7244db9da3a02fc5577200ad67a2e132b4a41f26 (diff) | |
merge revision(s) 66832: [Backport #15536]
st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write
"hash_bulk_insert" first expands the table, but the target size was
wrong: it was calculated by "num_entries + (size to buld insert)", but
it was wrong when "num_entries < entries_bound", i.e., it has a deleted
entry. "hash_bulk_insert" adds the given entries from entries_bound,
which led to out-of-bounds write access. [Bug #15536]
As a simple fix, this commit changes the calculation to "entries_bound +
size". I'm afraid if this might be inefficient, but I think it is safe
anyway.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | bootstraptest/test_literal.rb | 18 | ||||
| -rw-r--r-- | st.c | 2 | ||||
| -rw-r--r-- | version.h | 2 |
3 files changed, 20 insertions, 2 deletions
diff --git a/bootstraptest/test_literal.rb b/bootstraptest/test_literal.rb index 0c5102c46e..9b3c10d519 100644 --- a/bootstraptest/test_literal.rb +++ b/bootstraptest/test_literal.rb @@ -223,6 +223,24 @@ assert_equal 'ok', %q{ # long hash literal (optimized) :ok } +assert_equal 'ok', %q{ # Bug #15536 + eval <<-END + { + **{ + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + }, + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + **{ + c: nil + }, + b0: nil, b1: nil, b2: nil, b3: nil, b4: nil, b5: nil, b6: nil, b7: nil, b8: nil, + b9: nil, b10: nil, b11: nil, b12: nil, b13: nil, b14: nil, b15: nil, b16: nil, + b17: nil, b18: nil, b19: nil, b20: nil, b21: nil, + } + END + :ok +} + assert_equal 'ok', %q{ [print(:ok), exit] # void literal with side-effect :dummy @@ -2292,7 +2292,7 @@ rb_hash_bulk_insert(long argc, const VALUE *argv, VALUE hash) RHASH(hash)->ntbl = tab = RHASH(tmp)->ntbl; RHASH(tmp)->ntbl = NULL; } - n = tab->num_entries + argc / 2; + n = tab->entries_bound + argc / 2; st_expand_table(tab, n); if (UNLIKELY(tab->num_entries)) st_insert_generic(tab, argc, argv, hash); @@ -1,6 +1,6 @@ #define RUBY_VERSION "2.5.4" #define RUBY_RELEASE_DATE "2019-03-13" -#define RUBY_PATCHLEVEL 148 +#define RUBY_PATCHLEVEL 149 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 3 |