diff options
| author | naruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 09:26:08 +0000 |
|---|---|---|
| committer | naruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 09:26:08 +0000 |
| commit | eb60f1b561e6051f5b1ec7b66399d8e38ea28794 (patch) | |
| tree | e3f521d9c085623827f689844e9a1948dc78e24b /ext | |
| parent | 7af7b27228a6ad875297e1e22813ea8161cd4bc8 (diff) | |
sdbm: check offset
* ext/sdbm/_sdbm.c (splpage): check offset range.
https://hackerone.com/reports/271291
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62977 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/sdbm/_sdbm.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/ext/sdbm/_sdbm.c b/ext/sdbm/_sdbm.c index e8b7176ddc..85f6098130 100644 --- a/ext/sdbm/_sdbm.c +++ b/ext/sdbm/_sdbm.c @@ -66,7 +66,7 @@ static datum getpair proto((char *, datum)); static int delpair proto((char *, datum)); static int chkpage proto((char *)); static datum getnkey proto((char *, int)); -static void splpage proto((char *, char *, long)); +static int splpage proto((char *, char *, long)); #if SEEDUPS static int duppair proto((char *, datum)); #endif @@ -384,7 +384,8 @@ makroom(register DBM *db, long int hash, int need) /* * split the current page */ - (void) splpage(pag, new, db->hmask + 1); + if (splpage(pag, new, db->hmask + 1)) + return 0; /* * address of the new page */ @@ -851,11 +852,12 @@ seepair(char *pag, register int n, register char *key, register int siz) return 0; } -static void +static int splpage(char *pag, char *new, long int sbit) { datum key; datum val; + int error = 0; register int n; register int off = PBLKSIZ; @@ -868,10 +870,16 @@ splpage(char *pag, char *new, long int sbit) n = GET_SHORT(ino,0); for (ino++; n > 0; ino += 2) { - key.dptr = cur + GET_SHORT(ino,0); - key.dsize = off - GET_SHORT(ino,0); - val.dptr = cur + GET_SHORT(ino,1); - val.dsize = GET_SHORT(ino,0) - GET_SHORT(ino,1); + int k = GET_SHORT(ino,0); + int v = GET_SHORT(ino,1); + if (k < 0 || k > off || v < 0 || v > k) { + error = 1; + break; + } + key.dptr = cur + k; + key.dsize = off - k; + val.dptr = cur + v; + val.dsize = k - v; /* * select the page pointer (by looking at sbit) and insert */ @@ -884,6 +892,8 @@ splpage(char *pag, char *new, long int sbit) debug(("%d split %d/%d\n", ((short *) cur)[0] / 2, ((short *) new)[0] / 2, ((short *) pag)[0] / 2)); + + return error; } /* |