From e782b42f18f3ac7e5788c5be83048004ff51fa6f Mon Sep 17 00:00:00 2001
From: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sat, 7 Jun 2008 16:49:45 +0000
Subject: merge revision(s) 13699:13704: 	* marshal.c (r_bytes0):
 refined length check.  [ruby-dev:32059] 	* marshal.c (r_bytes0): check
 if source has enough data. 	  [ruby-dev:32054]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_5@16901 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                 |  9 +++++++++
 marshal.c                 |  4 ++--
 test/ruby/test_marshal.rb | 20 ++++++++++++++++++++
 version.h                 |  2 +-
 4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c10e42d..62c6ace 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Sun Jun  8 01:45:27 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* marshal.c (r_bytes0): refined length check.  [ruby-dev:32059]
+
+Sun Jun  8 01:45:27 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* marshal.c (r_bytes0): check if source has enough data.
+	  [ruby-dev:32054]
+
 Sun Jun  8 01:37:58 2008  Tanaka Akira  <akr@fsij.org>
 
 	* ext/socket/socket.c (s_accept_nonblock): make accepted fd
diff --git a/marshal.c b/marshal.c
index b338c15..cccf26f 100644
--- a/marshal.c
+++ b/marshal.c
@@ -468,7 +468,7 @@ w_object(obj, arg, limit)
 	return;
     }
 
-    if (ivtbl = rb_generic_ivar_table(obj)) {
+    if ((ivtbl = rb_generic_ivar_table(obj)) != 0) {
 	w_byte(TYPE_IVAR, arg);
     }
     if (obj == Qnil) {
@@ -873,7 +873,7 @@ r_bytes0(len, arg)
 
     if (len == 0) return rb_str_new(0, 0);
     if (TYPE(arg->src) == T_STRING) {
-	if (RSTRING(arg->src)->len > arg->offset) {
+	if (RSTRING(arg->src)->len - arg->offset >= len) {
 	    str = rb_str_new(RSTRING(arg->src)->ptr+arg->offset, len);
 	    arg->offset += len;
 	}
diff --git a/test/ruby/test_marshal.rb b/test/ruby/test_marshal.rb
index 9c9fd94..11f3583 100644
--- a/test/ruby/test_marshal.rb
+++ b/test/ruby/test_marshal.rb
@@ -45,4 +45,24 @@ class TestMarshal < Test::Unit::TestCase
       assert_equal(a, b)
     }
   end
+
+  class C
+    def initialize(str)
+      @str = str
+    end
+    def _dump(limit)
+      @str
+    end
+    def self._load(s)
+      new(s)
+    end
+  end
+
+  def test_too_long_string
+    (data = Marshal.dump(C.new("a")))[-2, 1] = "\003\377\377\377"
+    e = assert_raise(ArgumentError, "[ruby-dev:32054]") {
+      Marshal.load(data)
+    }
+    assert_equal("marshal data too short", e.message)
+  end
 end
diff --git a/version.h b/version.h
index 9756fe6..35a420b 100644
--- a/version.h
+++ b/version.h
@@ -2,7 +2,7 @@
 #define RUBY_RELEASE_DATE "2008-06-08"
 #define RUBY_VERSION_CODE 185
 #define RUBY_RELEASE_CODE 20080608
-#define RUBY_PATCHLEVEL 135
+#define RUBY_PATCHLEVEL 136
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
-- 
cgit v1.1