From 62539b49a7aebd4a948fef30461841e123bad461 Mon Sep 17 00:00:00 2001 From: nobu Date: Sun, 13 Dec 2015 09:25:15 +0000 Subject: tkutil.c: array length * ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check length of argument arrays for each access, as callback methods can modify them. reported by Marcin 'Icewall' Noga of Cisco Talos. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53076 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 6 +++++- ext/tk/tkutil/tkutil.c | 12 ++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc8f4238ac..acc2d637af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -Sun Dec 13 18:23:37 2015 Nobuyoshi Nakada +Sun Dec 13 18:25:16 2015 Nobuyoshi Nakada + + * ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check length of + argument arrays for each access, as callback methods can modify + them. reported by Marcin 'Icewall' Noga of Cisco Talos. * ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check types of argument elements. reported by Marcin 'Icewall' Noga of Cisco diff --git a/ext/tk/tkutil/tkutil.c b/ext/tk/tkutil/tkutil.c index adc14c0cff..fc9ed2d5e3 100644 --- a/ext/tk/tkutil/tkutil.c +++ b/ext/tk/tkutil/tkutil.c @@ -1568,7 +1568,7 @@ cbsubst_table_setup(argc, argv, self) const VALUE *infp; ID id; struct cbsubst_info *subst_inf; - long idx, len; + long idx; unsigned char chr; /* accept (key_inf, proc_inf) or (key_inf, longkey_inf, procinf) */ @@ -1594,8 +1594,7 @@ cbsubst_table_setup(argc, argv, self) * type ==> char code or string * ivar ==> symbol */ - len = RARRAY_LEN(key_inf); - for(idx = 0; idx < len; idx++) { + for(idx = 0; idx < RARRAY_LEN(key_inf); idx++) { inf = RARRAY_AREF(key_inf, idx); if (!RB_TYPE_P(inf, T_ARRAY)) continue; if (RARRAY_LEN(inf) < 3) continue; @@ -1622,8 +1621,7 @@ cbsubst_table_setup(argc, argv, self) * type ==> char code or string * ivar ==> symbol */ - len = RARRAY_LEN(longkey_inf); - for(idx = 0; idx < len; idx++) { + for(idx = 0; idx < RARRAY_LEN(longkey_inf); idx++) { inf = RARRAY_AREF(longkey_inf, idx); if (!RB_TYPE_P(inf, T_ARRAY)) continue; if (RARRAY_LEN(inf) < 3) continue; @@ -1652,9 +1650,7 @@ cbsubst_table_setup(argc, argv, self) * type ==> char code or string * proc ==> proc/method/obj (must respond to 'call') */ - len = RARRAY_LEN(proc_inf); - for(idx = 0; idx < len; idx++) { - VALUE type, proc; + for(idx = 0; idx < RARRAY_LEN(proc_inf); idx++) { inf = RARRAY_AREF(proc_inf, idx); if (!RB_TYPE_P(inf, T_ARRAY)) continue; if (RARRAY_LEN(inf) < 2) continue; -- cgit v1.2.3