summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorngoto <ngoto@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-07-15 13:08:54 +0000
committerngoto <ngoto@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-07-15 13:08:54 +0000
commit20c4461d86487447e0c8208514ff90835104b89c (patch)
tree86b77241026e97e5d7e3bc74f444725f3dcbf69d
parent2bb292fccf9560b2c885b4368e5c5fc3fe2a2bda (diff)
* string.c (str_buf_cat): Fix potential interger overflow of capa.
In addition, termlen is used instead of +1. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55692 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog5
-rw-r--r--string.c5
2 files changed, 8 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 16b297f251d..ddb67d1fb5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Jul 15 22:05:13 2016 Naohisa Goto <ngotogenome@gmail.com>
+
+ * string.c (str_buf_cat): Fix potential interger overflow of capa.
+ In addition, termlen is used instead of +1.
+
Fri Jul 15 21:30:38 2016 Naohisa Goto <ngotogenome@gmail.com>
* string.c (str_buf_cat): Fix capa size for embed string.
diff --git a/string.c b/string.c
index 514488fd935..ec26a589f1f 100644
--- a/string.c
+++ b/string.c
@@ -2562,6 +2562,7 @@ str_buf_cat(VALUE str, const char *ptr, long len)
long capa, total, olen, off = -1;
char *sptr;
const int termlen = TERM_LEN(str);
+ assert(termlen < RSTRING_EMBED_LEN_MAX + 1); /* < (LONG_MAX/2) */
RSTRING_GETMEM(str, sptr, olen);
if (ptr >= sptr && ptr <= sptr + olen) {
@@ -2586,11 +2587,11 @@ str_buf_cat(VALUE str, const char *ptr, long len)
if (capa <= total) {
if (LIKELY(capa > 0)) {
while (total > capa) {
- if (capa > LONG_MAX / 2) {
+ if (capa > LONG_MAX / 2 - termlen) {
capa = (total + 4095) / 4096 * 4096;
break;
}
- capa = 2 * capa + 1;
+ capa = 2 * capa + termlen; /* == 2*(capa+termlen)-termlen */
}
}
else {