Fix stack buffer overflow

https://hackerone.com/reports/1306859
author: Nobuyoshi Nakada <nobu@ruby-lang.org> 2021-08-17 22:01:57 +0900
committer: Nobuyoshi Nakada <nobu@ruby-lang.org> 2021-12-10 01:04:59 +0900
commit: bcc2bb28b04054106f4a36e8fd69b2af6ecb033a (patch)
tree: 7a97803a65f1fa1a617cbda6c40b4da23deeee53 /include
parent: 9873af0b1a343dff6d1a8af4c813aa2c9ecc47d5 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/include/ruby/internal/memory.h b/include/ruby/internal/memory.h
index aa3464465d..242892d50f 100644
--- a/include/ruby/internal/memory.h
+++ b/include/ruby/internal/memory.h
@@ -284,7 +284,7 @@ typedef uint128_t DSIZE_T;
  * @return      A pointer on stack.
  */
 #define ALLOCA_N(type,n) \
-    RBIMPL_CAST((type *)alloca(rbimpl_size_mul_or_raise(sizeof(type), (n))))
+    RBIMPL_CAST((type *)(!(n) ? NULL : alloca(rbimpl_size_mul_or_raise(sizeof(type), (n)))))
 
 /**
  * Identical to #RB_ALLOCV_N(), except it  implicitly assumes the type of array
@@ -297,7 +297,7 @@ typedef uint128_t DSIZE_T;
  */
 #define RB_ALLOCV(v, n)        \
     ((n) < RUBY_ALLOCV_LIMIT ? \
-     ((v) = 0, alloca(n)) :    \
+     ((v) = 0, !(n) ? NULL : alloca(n)) : \
      rb_alloc_tmp_buffer(&(v), (n)))
 
 /**
@@ -330,7 +330,7 @@ typedef uint128_t DSIZE_T;
 #define RB_ALLOCV_N(type, v, n)                             \
     RBIMPL_CAST((type *)                                     \
         (((size_t)(n) < RUBY_ALLOCV_LIMIT / sizeof(type)) ? \
-         ((v) = 0, alloca((n) * sizeof(type))) :            \
+         ((v) = 0, !(n) ? NULL : alloca((n) * sizeof(type))) : \
          rb_alloc_tmp_buffer2(&(v), (n), sizeof(type))))
 
 /**
author	Nobuyoshi Nakada <nobu@ruby-lang.org>	2021-08-17 22:01:57 +0900
committer	Nobuyoshi Nakada <nobu@ruby-lang.org>	2021-12-10 01:04:59 +0900
commit	bcc2bb28b04054106f4a36e8fd69b2af6ecb033a (patch)
tree	7a97803a65f1fa1a617cbda6c40b4da23deeee53 /include
parent	9873af0b1a343dff6d1a8af4c813aa2c9ecc47d5 (diff)