diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | pack.c | 2 | ||||
-rw-r--r-- | test/ruby/test_pack.rb | 3 | ||||
-rw-r--r-- | version.h | 2 |
4 files changed, 12 insertions, 2 deletions
@@ -1,3 +1,10 @@ +Wed Mar 28 19:36:24 2018 Nobuyoshi Nakada <nobu@ruby-lang.org> + + pack.c: fix underflow + + * pack.c (pack_unpack_internal): get rid of underflow. + https://hackerone.com/reports/298246 + Wed Mar 28 19:30:54 2018 Nobuyoshi Nakada <nobu@ruby-lang.org> unixsocket.c: check NUL bytes @@ -1235,7 +1235,7 @@ pack_unpack(VALUE str, VALUE fmt) else if (ISDIGIT(*p)) { errno = 0; len = STRTOUL(p, (char**)&p, 10); - if (errno) { + if (len < 0 || errno) { rb_raise(rb_eRangeError, "pack length too big"); } } diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb index b0fd0b7158..b59faec9f3 100644 --- a/test/ruby/test_pack.rb +++ b/test/ruby/test_pack.rb @@ -548,6 +548,9 @@ class TestPack < Test::Unit::TestCase assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C")) assert_equal([nil], "\x00".unpack("@1C")) # is it OK? assert_raise(ArgumentError) { "\x00".unpack("@2C") } + + pos = (1 << [nil].pack("p").bytesize * 8) - 100 # -100 + assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")} end def test_pack_unpack_percent @@ -1,6 +1,6 @@ #define RUBY_VERSION "2.3.7" #define RUBY_RELEASE_DATE "2018-03-28" -#define RUBY_PATCHLEVEL 453 +#define RUBY_PATCHLEVEL 454 #define RUBY_RELEASE_YEAR 2018 #define RUBY_RELEASE_MONTH 3 |