diff options
author | mame <mame@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-01-15 14:19:19 +0000 |
---|---|---|
committer | mame <mame@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-01-15 14:19:19 +0000 |
commit | ab2547d786572f4c14e0d849f5f64f006425c5ba (patch) | |
tree | b9edc897559417730205ed04dafe9ce07e9e21d2 /bootstraptest/test_literal.rb | |
parent | 10d85b19da5a9c94c5e7af16c53679981aee963b (diff) |
st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write
"hash_bulk_insert" first expands the table, but the target size was
wrong: it was calculated by "num_entries + (size to buld insert)", but
it was wrong when "num_entries < entries_bound", i.e., it has a deleted
entry. "hash_bulk_insert" adds the given entries from entries_bound,
which led to out-of-bounds write access. [Bug #15536]
As a simple fix, this commit changes the calculation to "entries_bound +
size". I'm afraid if this might be inefficient, but I think it is safe
anyway.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@66832 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'bootstraptest/test_literal.rb')
-rw-r--r-- | bootstraptest/test_literal.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/bootstraptest/test_literal.rb b/bootstraptest/test_literal.rb index 0c5102c46e..9b3c10d519 100644 --- a/bootstraptest/test_literal.rb +++ b/bootstraptest/test_literal.rb @@ -223,6 +223,24 @@ assert_equal 'ok', %q{ # long hash literal (optimized) :ok } +assert_equal 'ok', %q{ # Bug #15536 + eval <<-END + { + **{ + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + }, + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + **{ + c: nil + }, + b0: nil, b1: nil, b2: nil, b3: nil, b4: nil, b5: nil, b6: nil, b7: nil, b8: nil, + b9: nil, b10: nil, b11: nil, b12: nil, b13: nil, b14: nil, b15: nil, b16: nil, + b17: nil, b18: nil, b19: nil, b20: nil, b21: nil, + } + END + :ok +} + assert_equal 'ok', %q{ [print(:ok), exit] # void literal with side-effect :dummy |