diff options
| author | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-09-13 12:33:16 +0000 |
|---|---|---|
| committer | rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-09-13 12:33:16 +0000 |
| commit | 00fcd967d9900713fa7f617d9a5077ec178e073f (patch) | |
| tree | c67f6990cc1b6da9a0c0e510eb550ac46c2617a8 /ChangeLog | |
| parent | 2f551849c4e05c96569739d8f057a4ea41e33300 (diff) | |
string.c: avoid signed integer overflow
The behavior on signed integer overflow is undefined. On platform with
sizeof(long)==4, it's fairly easy that 'len + termlen' overflows, where
len is the string length and termlen is the terminator length.
So, prevent the integer overflow by avoiding adding to a string length,
or casting to size_t before adding where the total size is passed to
{RE,}ALLOC*().
* string.c (STR_HEAP_SIZE, RESIZE_CAPA_TERM, str_new0, rb_str_buf_new,
str_shared_replace, rb_str_init, str_make_independent_expand,
rb_str_resize): Avoid overflow by casting the length to size_t. size_t
should be able to represent LONG_MAX+termlen.
* string.c (rb_str_modify_expand): Check that the new length is in the
range of long before resizing. Also refactor to use RESIZE_CAPA_TERM
macro.
* string.c (str_buf_cat): Fix so that it does not create a negative
length String. Also fix the condition for 'string sizes too big', the
total length can be up to LONG_MAX.
* string.c (rb_str_plus): Check the resulting String length does not
exceed LONG_MAX.
* string.c (rb_str_dump): Fix integer overflow. The dump result will be
longer then the original String.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56157 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -1,3 +1,24 @@ +Tue Sep 13 21:32:54 2016 Kazuki Yamaguchi <k@rhe.jp> + + * string.c (STR_HEAP_SIZE, RESIZE_CAPA_TERM, str_new0, rb_str_buf_new, + str_shared_replace, rb_str_init, str_make_independent_expand, + rb_str_resize): Avoid overflow by casting the length to size_t. size_t + should be able to represent LONG_MAX+termlen. + + * string.c (rb_str_modify_expand): Check that the new length is in the + range of long before resizing. Also refactor to use RESIZE_CAPA_TERM + macro. + + * string.c (str_buf_cat): Fix so that it does not create a negative + length String. Also fix the condition for 'string sizes too big', the + total length can be up to LONG_MAX. + + * string.c (rb_str_plus): Check the resulting String length does not + exceed LONG_MAX. + + * string.c (rb_str_dump): Fix integer overflow. The dump result will be + longer then the original String. + Tue Sep 13 21:30:53 2016 Kazuki Yamaguchi <k@rhe.jp> * gc.c (heap_extend_pages, get_envparam_size, ruby_malloc_size_overflow, |