diff options
author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2021-09-03 19:40:22 +0900 |
---|---|---|
committer | git <svn-admin@ruby-lang.org> | 2021-12-12 13:05:15 +0900 |
commit | e4b35b158a16c42d2b91a3e88309875240d0ce27 (patch) | |
tree | c310fbf57098d2141f930d8cdb1720609fd2bac3 /ext | |
parent | fbd733701659eed2d5a652b5890cfa80ccbce864 (diff) |
[ruby/cgi] Check integer overflow in long range
https://hackerone.com/reports/1328463
https://github.com/ruby/cgi/commit/ccaf6027e0
Diffstat (limited to 'ext')
-rw-r--r-- | ext/cgi/escape/escape.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c index 809f95ef4c..f88b61478b 100644 --- a/ext/cgi/escape/escape.c +++ b/ext/cgi/escape/escape.c @@ -32,12 +32,21 @@ preserve_original_state(VALUE orig, VALUE dest) rb_enc_associate(dest, rb_enc_get(orig)); } +static inline long +escaped_length(VALUE str) +{ + const long len = RSTRING_LEN(str); + if (len >= LONG_MAX / HTML_ESCAPE_MAX_LEN) { + ruby_malloc_size_overflow(len, HTML_ESCAPE_MAX_LEN); + } + return len * HTML_ESCAPE_MAX_LEN; +} + static VALUE optimized_escape_html(VALUE str) { VALUE vbuf; - typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; - char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); + char *buf = ALLOCV_N(char, vbuf, escaped_length(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str); |