diff options
-rw-r--r-- | ChangeLog | 15 | ||||
-rw-r--r-- | ext/bigdecimal/bigdecimal.c | 102 | ||||
-rw-r--r-- | version.h | 8 |
3 files changed, 77 insertions, 48 deletions
@@ -1,3 +1,18 @@ +Mon Jun 8 08:15:36 2009 Yukihiro Matsumoto <matz@ruby-lang.org> + + * ext/bigdecimal/bigdecimal.c (VpAlloc): avoid ALLOCA_N() to avoid + segmentation fault caused by (insanely) long decimal values. + backported from 1.9. CVE-2009-1904 + + * ext/bigdecimal/bigdecimal.c (BigDecimal_dump, BigDecimal_to_i, + BigDecimal_to_f, BigDecimal_to_s, BigDecimal_split, + BigDecimal_inspect): ditto. + +Mon Jun 8 08:15:36 2009 Yukihiro Matsumoto <matz@ruby-lang.org> + + * ext/bigdecimal/bigdecimal.c (BigDecimal_to_f): returns Inf if + exp is bigger than DBL_MANT_DIG. + Wed Jun 3 21:16:30 2009 Tanaka Akira <akr@fsij.org> * file.c: include fcntl.h for O_RDONLY on Solaris. diff --git a/ext/bigdecimal/bigdecimal.c b/ext/bigdecimal/bigdecimal.c index fbf3a87421..4264d22c9f 100644 --- a/ext/bigdecimal/bigdecimal.c +++ b/ext/bigdecimal/bigdecimal.c @@ -306,17 +306,19 @@ static VALUE BigDecimal_dump(int argc, VALUE *argv, VALUE self) { ENTER(5); - char sz[50]; Real *vp; char *psz; VALUE dummy; + volatile VALUE dump; + rb_scan_args(argc, argv, "01", &dummy); GUARD_OBJ(vp,GetVpValue(self,1)); - sprintf(sz,"%lu:",VpMaxPrec(vp)*VpBaseFig()); - psz = ALLOCA_N(char,(unsigned int)VpNumOfChars(vp,"E")+strlen(sz)); - sprintf(psz,"%s",sz); + dump = rb_str_new(0,VpNumOfChars(vp,"E")+50); + psz = RSTRING_PTR(dump); + sprintf(psz,"%lu:",VpMaxPrec(vp)*VpBaseFig()); VpToString(vp, psz+strlen(psz), 0, 0); - return rb_str_new2(psz); + rb_str_resize(dump, strlen(psz)); + return dump; } /* @@ -520,6 +522,7 @@ BigDecimal_to_i(VALUE self) ENTER(5); int e,n,i,nf; U_LONG v,b,j; + volatile VALUE str; char *psz,*pch; Real *p; @@ -527,14 +530,14 @@ BigDecimal_to_i(VALUE self) /* Infinity or NaN not converted. */ if(VpIsNaN(p)) { - VpException(VP_EXCEPTION_NaN,"Computation results to 'NaN'(Not a Number)",0); - return Qnil; + VpException(VP_EXCEPTION_NaN,"Computation results to 'NaN'(Not a Number)",1); + return Qnil; /* not reached */ } else if(VpIsPosInf(p)) { - VpException(VP_EXCEPTION_INFINITY,"Computation results to 'Infinity'",0); - return Qnil; + VpException(VP_EXCEPTION_INFINITY,"Computation results to 'Infinity'",1); + return Qnil; /* not reached */ } else if(VpIsNegInf(p)) { - VpException(VP_EXCEPTION_INFINITY,"Computation results to '-Infinity'",0); - return Qnil; + VpException(VP_EXCEPTION_INFINITY,"Computation results to '-Infinity'",1); + return Qnil; /* not reached */ } e = VpExponent10(p); @@ -544,7 +547,8 @@ BigDecimal_to_i(VALUE self) e = VpGetSign(p)*p->frac[0]; return INT2FIX(e); } - psz = ALLOCA_N(char,(unsigned int)(e+nf+2)); + str = rb_str_new(0, e+nf+2); + psz = RSTRING_PTR(str); n = (e+nf-1)/nf; pch = psz; @@ -589,17 +593,21 @@ BigDecimal_to_f(VALUE self) double d; S_LONG e; char *buf; + volatile VALUE str; GUARD_OBJ(p,GetVpValue(self,1)); if(VpVtoD(&d, &e, p)!=1) return rb_float_new(d); - buf = ALLOCA_N(char,(unsigned int)VpNumOfChars(p,"E")); + if (e > DBL_MAX_10_EXP) goto erange; + str = rb_str_new(0, VpNumOfChars(p,"E")); + buf = RSTRING_PTR(str); VpToString(p, buf, 0, 0); errno = 0; d = strtod(buf, 0); if(errno == ERANGE) { + erange: VpException(VP_EXCEPTION_OVERFLOW,"BigDecimal to Float conversion",0); - if(d>0.0) return rb_float_new(DBL_MAX); - else return rb_float_new(-DBL_MAX); + if(d>0.0) d = VpGetDoublePosInf(); + else d = VpGetDoubleNegInf(); } return rb_float_new(d); } @@ -1491,6 +1499,7 @@ BigDecimal_to_s(int argc, VALUE *argv, VALUE self) int fmt=0; /* 0:E format */ int fPlus=0; /* =0:default,=1: set ' ' before digits ,set '+' before digits. */ Real *vp; + volatile VALUE str; char *psz; char ch; U_LONG nc; @@ -1527,14 +1536,16 @@ BigDecimal_to_s(int argc, VALUE *argv, VALUE self) } if(mc>0) nc += (nc + mc - 1) / mc + 1; - psz = ALLOCA_N(char,(unsigned int)nc); + str = rb_str_new(0, nc); + psz = RSTRING_PTR(str); if(fmt) { VpToFString(vp, psz, mc, fPlus); } else { VpToString (vp, psz, mc, fPlus); } - return rb_str_new2(psz); + rb_str_resize(str, strlen(psz)); + return str; } /* Splits a BigDecimal number into four parts, returned as an array of values. @@ -1566,24 +1577,29 @@ BigDecimal_split(VALUE self) { ENTER(5); Real *vp; - VALUE obj,obj1; + VALUE obj,str; S_LONG e; S_LONG s; char *psz1; GUARD_OBJ(vp,GetVpValue(self,1)); - psz1 = ALLOCA_N(char,(unsigned int)VpNumOfChars(vp,"E")); + str = rb_str_new(0, VpNumOfChars(vp,"E")); + psz1 = RSTRING_PTR(str); VpSzMantissa(vp,psz1); s = 1; if(psz1[0]=='-') { - s = -1; ++psz1; + int len = strlen(psz1+1); + + memmove(psz1, psz1+1, len); + psz1[len] = '\0'; + s = -1; } if(psz1[0]=='N') s=0; /* NaN */ e = VpExponent10(vp); - obj1 = rb_str_new2(psz1); obj = rb_ary_new2(4); rb_ary_push(obj, INT2FIX(s)); - rb_ary_push(obj, obj1); + rb_ary_push(obj, str); + rb_str_resize(str, strlen(psz1)); rb_ary_push(obj, INT2FIX(10)); rb_ary_push(obj, INT2NUM(e)); return obj; @@ -1616,20 +1632,22 @@ BigDecimal_inspect(VALUE self) { ENTER(5); Real *vp; - VALUE obj; + volatile VALUE obj; unsigned int nc; - char *psz1; - char *pszAll; + char *psz, *tmp; GUARD_OBJ(vp,GetVpValue(self,1)); nc = VpNumOfChars(vp,"E"); nc +=(nc + 9) / 10; - psz1 = ALLOCA_N(char,nc); - pszAll = ALLOCA_N(char,nc+256); - VpToString(vp, psz1, 10, 0); - sprintf(pszAll,"#<BigDecimal:%lx,'%s',%lu(%lu)>",self,psz1,VpPrec(vp)*VpBaseFig(),VpMaxPrec(vp)*VpBaseFig()); - obj = rb_str_new2(pszAll); + obj = rb_str_new(0, nc+256); + psz = RSTRING_PTR(obj); + sprintf(psz,"#<BigDecimal:%lx,'",self); + tmp = psz + strlen(psz); + VpToString(vp, tmp, 10, 0); + tmp += strlen(tmp); + sprintf(tmp,"',%lu(%lu)>",VpPrec(vp)*VpBaseFig(),VpMaxPrec(vp)*VpBaseFig()); + rb_str_resize(obj, strlen(psz)); return obj; } @@ -2482,6 +2500,7 @@ VpAlloc(U_LONG mx, const char *szVal) int sign=1; Real *vp = NULL; U_LONG mf = VpGetPrecLimit(); + volatile VALUE buf; mx = (mx + BASE_FIG - 1) / BASE_FIG + 1; /* Determine allocation unit. */ if(szVal) { @@ -2509,7 +2528,8 @@ VpAlloc(U_LONG mx, const char *szVal) /* Skip all '_' after digit: 2006-6-30 */ ni = 0; - psz = ALLOCA_N(char,strlen(szVal)+1); + buf = rb_str_new(0,strlen(szVal)+1); + psz = RSTRING_PTR(buf); i = 0; ipn = 0; while((psz[i]=szVal[ipn])!=0) { @@ -3601,7 +3621,7 @@ VPrint(FILE *fp, char *cntl_chr, Real *a) nc += fprintf(fp, "0."); n = a->Prec; for(i=0;i < n;++i) { - m = BASE1; + m = BASE1; e = a->frac[i]; while(m) { nn = e / m; @@ -3783,7 +3803,7 @@ VpToString(Real *a,char *psz,int fFmt,int fPlus) /* fPlus =0:default, =1: set ' ' before digits , =2:set '+' before digits. */ { U_LONG i, ZeroSup; - U_LONG n, m, e, nn; + U_LONG n, e; char *pszSav = psz; S_LONG ex; @@ -3799,18 +3819,12 @@ VpToString(Real *a,char *psz,int fFmt,int fPlus) *psz++ = '.'; n = a->Prec; for(i=0;i < n;++i) { - m = BASE1; e = a->frac[i]; - while(m) { - nn = e / m; - if((!ZeroSup) || nn) { - sprintf(psz, "%lu", nn); /* The reading zero(s) */ - psz += strlen(psz); - /* as 0.00xx will be ignored. */ - ZeroSup = 0; /* Set to print succeeding zeros */ - } - e = e - nn * m; - m /= 10; + if((!ZeroSup) || e) { + sprintf(psz, "%lu", e); /* The reading zero(s) */ + psz += strlen(psz); + /* as 0.00xx will be ignored. */ + ZeroSup = 0; /* Set to print succeeding zeros */ } } ex =(a->exponent) * BASE_FIG; @@ -1,15 +1,15 @@ #define RUBY_VERSION "1.8.7" -#define RUBY_RELEASE_DATE "2009-06-03" +#define RUBY_RELEASE_DATE "2009-06-08" #define RUBY_VERSION_CODE 187 -#define RUBY_RELEASE_CODE 20090603 -#define RUBY_PATCHLEVEL 171 +#define RUBY_RELEASE_CODE 20090608 +#define RUBY_PATCHLEVEL 172 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 #define RUBY_VERSION_TEENY 7 #define RUBY_RELEASE_YEAR 2009 #define RUBY_RELEASE_MONTH 6 -#define RUBY_RELEASE_DAY 3 +#define RUBY_RELEASE_DAY 8 #ifdef RUBY_EXTERN RUBY_EXTERN const char ruby_version[]; |