summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2008-06-19 23:12:55 +0000
committershyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2008-06-19 23:12:55 +0000
commit6f60803beaecbacd6770b3e8527fc6ce5d8fef77 (patch)
tree1a52f48ea8d590ebca80c5c7c9a1751e2a0501d4
parent502b6f1fde3e275f784767df3824bc7e957bac09 (diff)
parent594a34bedacc74101e511e5861742cab0694c54e (diff)
add tag v1_8_7_20v1_8_7_20
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/tags/v1_8_7_20@17463 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog15
-rw-r--r--array.c19
-rw-r--r--intern.h1
-rw-r--r--sprintf.c11
-rw-r--r--string.c22
-rw-r--r--version.h8
6 files changed, 52 insertions, 24 deletions
diff --git a/ChangeLog b/ChangeLog
index d16a4922a5..04956f26bb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+Wed Jun 18 22:24:46 2008 URABE Shyouhei <shyouhei@ruby-lang.org>
+
+ * array.c (ary_new, rb_ary_initialize, rb_ary_store,
+ rb_ary_aplice, rb_ary_times): integer overflows should be
+ checked. based on patches from Drew Yao <ayao at apple.com>
+ fixed CVE-2008-2726
+
+ * string.c (rb_str_buf_append): fixed unsafe use of alloca,
+ which led memory corruption. based on a patch from Drew Yao
+ <ayao at apple.com> fixed CVE-2008-2726
+
+ * sprintf.c (rb_str_format): backported from trunk.
+
+ * intern.h: ditto.
+
Tue Jun 17 15:09:46 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* file.c (file_expand_path): no need to expand root path which has no
diff --git a/array.c b/array.c
index a42c8acbe3..fda2c24fef 100644
--- a/array.c
+++ b/array.c
@@ -20,6 +20,7 @@ VALUE rb_cArray;
static ID id_cmp;
#define ARY_DEFAULT_SIZE 16
+#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE))
void
rb_mem_clear(mem, size)
@@ -120,7 +121,7 @@ ary_new(klass, len)
if (len < 0) {
rb_raise(rb_eArgError, "negative array size (or size too big)");
}
- if (len > 0 && len * sizeof(VALUE) <= len) {
+ if (len > ARY_MAX_SIZE) {
rb_raise(rb_eArgError, "array size too big");
}
if (len == 0) len++;
@@ -314,7 +315,7 @@ rb_ary_initialize(argc, argv, ary)
if (len < 0) {
rb_raise(rb_eArgError, "negative array size");
}
- if (len > 0 && len * (long)sizeof(VALUE) <= len) {
+ if (len > ARY_MAX_SIZE) {
rb_raise(rb_eArgError, "array size too big");
}
if (len > RARRAY(ary)->aux.capa) {
@@ -379,6 +380,9 @@ rb_ary_store(ary, idx, val)
idx - RARRAY(ary)->len);
}
}
+ else if (idx >= ARY_MAX_SIZE) {
+ rb_raise(rb_eIndexError, "index %ld too big", idx);
+ }
rb_ary_modify(ary);
if (idx >= RARRAY(ary)->aux.capa) {
@@ -387,10 +391,10 @@ rb_ary_store(ary, idx, val)
if (new_capa < ARY_DEFAULT_SIZE) {
new_capa = ARY_DEFAULT_SIZE;
}
- new_capa += idx;
- if (new_capa * (long)sizeof(VALUE) <= new_capa) {
- rb_raise(rb_eArgError, "index too big");
+ else if (new_capa >= ARY_MAX_SIZE - idx) {
+ new_capa = (ARY_MAX_SIZE - idx) / 2;
}
+ new_capa += idx;
REALLOC_N(RARRAY(ary)->ptr, VALUE, new_capa);
RARRAY(ary)->aux.capa = new_capa;
}
@@ -1091,6 +1095,9 @@ rb_ary_splice(ary, beg, len, rpl)
if (beg >= RARRAY(ary)->len) {
len = beg + rlen;
+ if (len < 0 || len > ARY_MAX_SIZE) {
+ rb_raise(rb_eIndexError, "index %ld too big", beg);
+ }
if (len >= RARRAY(ary)->aux.capa) {
REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
RARRAY(ary)->aux.capa = len;
@@ -2522,7 +2529,7 @@ rb_ary_times(ary, times)
if (len < 0) {
rb_raise(rb_eArgError, "negative argument");
}
- if (LONG_MAX/len < RARRAY(ary)->len) {
+ if (ARY_MAX_SIZE/len < RARRAY(ary)->len) {
rb_raise(rb_eArgError, "argument too big");
}
len *= RARRAY(ary)->len;
diff --git a/intern.h b/intern.h
index ee99425b91..b670c9c484 100644
--- a/intern.h
+++ b/intern.h
@@ -418,6 +418,7 @@ const char *ruby_signal_name _((int));
void ruby_default_signal _((int));
/* sprintf.c */
VALUE rb_f_sprintf _((int, VALUE*));
+VALUE rb_str_format _((int, VALUE*, VALUE));
/* string.c */
VALUE rb_str_new _((const char*, long));
VALUE rb_str_new2 _((const char*));
diff --git a/sprintf.c b/sprintf.c
index d8aa5fd0a4..d39352b922 100644
--- a/sprintf.c
+++ b/sprintf.c
@@ -249,7 +249,15 @@ rb_f_sprintf(argc, argv)
int argc;
VALUE *argv;
{
+ return rb_str_format(argc - 1, argv + 1, GETNTHARG(0));
+}
+
+VALUE
+rb_str_format(argc, argv, fmt)
+ int argc;
+ VALUE *argv;
VALUE fmt;
+{
const char *p, *end;
char *buf;
int blen, bsiz;
@@ -278,7 +286,8 @@ rb_f_sprintf(argc, argv)
rb_raise(rb_eArgError, "flag after precision"); \
}
- fmt = GETNTHARG(0);
+ ++argc;
+ --argv;
if (OBJ_TAINTED(fmt)) tainted = 1;
StringValue(fmt);
fmt = rb_str_new4(fmt);
diff --git a/string.c b/string.c
index 5f1414ac34..fab5d0bcf3 100644
--- a/string.c
+++ b/string.c
@@ -459,22 +459,15 @@ rb_str_times(str, times)
*/
static VALUE
-rb_str_format(str, arg)
+rb_str_format_m(str, arg)
VALUE str, arg;
{
- VALUE *argv;
+ VALUE tmp = rb_check_array_type(arg);
- if (TYPE(arg) == T_ARRAY) {
- argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1);
- argv[0] = str;
- MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len);
- return rb_f_sprintf(RARRAY(arg)->len+1, argv);
+ if (!NIL_P(tmp)) {
+ return rb_str_format(RARRAY_LEN(tmp), RARRAY_PTR(tmp), str);
}
-
- argv = ALLOCA_N(VALUE, 2);
- argv[0] = str;
- argv[1] = arg;
- return rb_f_sprintf(2, argv);
+ return rb_str_format(1, &arg, str);
}
static int
@@ -795,6 +788,9 @@ rb_str_buf_append(str, str2)
capa = RSTRING(str)->aux.capa;
}
len = RSTRING(str)->len+RSTRING(str2)->len;
+ if (len < 0 || (capa+1) > LONG_MAX / 2) {
+ rb_raise(rb_eArgError, "string sizes too big");
+ }
if (capa <= len) {
while (len > capa) {
capa = (capa + 1) * 2;
@@ -4923,7 +4919,7 @@ Init_String()
rb_define_method(rb_cString, "casecmp", rb_str_casecmp, 1);
rb_define_method(rb_cString, "+", rb_str_plus, 1);
rb_define_method(rb_cString, "*", rb_str_times, 1);
- rb_define_method(rb_cString, "%", rb_str_format, 1);
+ rb_define_method(rb_cString, "%", rb_str_format_m, 1);
rb_define_method(rb_cString, "[]", rb_str_aref_m, -1);
rb_define_method(rb_cString, "[]=", rb_str_aset_m, -1);
rb_define_method(rb_cString, "insert", rb_str_insert, 2);
diff --git a/version.h b/version.h
index 9784655833..e8222b56b1 100644
--- a/version.h
+++ b/version.h
@@ -1,15 +1,15 @@
#define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2008-06-17"
+#define RUBY_RELEASE_DATE "2008-06-20"
#define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20080617
-#define RUBY_PATCHLEVEL 19
+#define RUBY_RELEASE_CODE 20080620
+#define RUBY_PATCHLEVEL 20
#define RUBY_VERSION_MAJOR 1
#define RUBY_VERSION_MINOR 8
#define RUBY_VERSION_TEENY 7
#define RUBY_RELEASE_YEAR 2008
#define RUBY_RELEASE_MONTH 6
-#define RUBY_RELEASE_DAY 17
+#define RUBY_RELEASE_DAY 20
#ifdef RUBY_EXTERN
RUBY_EXTERN const char ruby_version[];