summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-05-18 05:52:40 +0000
committernobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-05-18 05:52:40 +0000
commitb493d156de6506c52222296bf0c26256d0f0479e (patch)
tree215df55e4f6dd04c6be150fbced6846ab23feede
parentb8fde968619cb9116fb765c70b3295460645652f (diff)
string.c: integer overflow
* string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55054 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog5
-rw-r--r--string.c3
-rw-r--r--test/-ext-/string/test_modify_expand.rb9
3 files changed, 17 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 9ff19d2..ff4be96 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Wed May 18 14:52:38 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
+
+ * string.c (rb_str_modify_expand): check integer overflow.
+ [ruby-core:75592] [Bug #12390]
+
Wed May 18 13:11:44 2016 NARUSE, Yui <naruse@ruby-lang.org>
* re.c (match_ary_subseq): get subseq of match array without creating
diff --git a/string.c b/string.c
index 1e4d867..049b088 100644
--- a/string.c
+++ b/string.c
@@ -1914,6 +1914,9 @@ rb_str_modify_expand(VALUE str, long expand)
else if (expand > 0) {
long len = RSTRING_LEN(str);
long capa = len + expand;
+ if (expand >= LONG_MAX - len - termlen) {
+ rb_raise(rb_eArgError, "string size too big");
+ }
if (!STR_EMBED_P(str)) {
REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen);
RSTRING(str)->as.heap.aux.capa = capa;
diff --git a/test/-ext-/string/test_modify_expand.rb b/test/-ext-/string/test_modify_expand.rb
index 5eb7a02..d3f5a17 100644
--- a/test/-ext-/string/test_modify_expand.rb
+++ b/test/-ext-/string/test_modify_expand.rb
@@ -13,4 +13,13 @@ class Test_StringModifyExpand < Test::Unit::TestCase
s.replace("")
CMD
end
+
+ def test_integer_overflow
+ bug12390 = '[ruby-core:75592] [Bug #12390]'
+ s = Bug::String.new
+ long_max = (1 << (8 * RbConfig::SIZEOF['long'] - 1)) - 1
+ assert_raise(ArgumentError, bug12390) {
+ s.modify_expand!(long_max)
+ }
+ end
end