From ed4aed86fbfdc8133148c6ffa2e03312a601a3cd Mon Sep 17 00:00:00 2001 From: nobu Date: Fri, 17 Jun 2016 23:52:48 +0000 Subject: stringio.c: fix index overflow * ext/stringio/stringio.c (strio_getline): fix pointer index overflow. reported by Guido Vranken . git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55432 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 5 +++++ ext/stringio/stringio.c | 2 +- test/stringio/test_stringio.rb | 12 ++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 27aa83aba1..914b57c10d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Sat Jun 18 08:52:46 2016 Nobuyoshi Nakada + + * ext/stringio/stringio.c (strio_getline): fix pointer index + overflow. reported by Guido Vranken . + Thu Jun 16 16:35:35 2016 Nobuyoshi Nakada * class.c (Init_class_hierarchy): prevent rb_cObject which is the diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c index 4fdc4df51e..f35c702d0a 100644 --- a/ext/stringio/stringio.c +++ b/ext/stringio/stringio.c @@ -1021,7 +1021,7 @@ strio_getline(int argc, VALUE *argv, struct StringIO *ptr) s = RSTRING_PTR(ptr->string); e = s + RSTRING_LEN(ptr->string); s += ptr->pos; - if (limit > 0 && s + limit < e) { + if (limit > 0 && (size_t)limit < (size_t)(e - s)) { e = rb_enc_right_char_head(s, s + limit, e, get_enc(ptr)); } if (NIL_P(str)) { diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb index bf3a9eeb1b..ce84800d4b 100644 --- a/test/stringio/test_stringio.rb +++ b/test/stringio/test_stringio.rb @@ -680,4 +680,16 @@ class TestStringIO < Test::Unit::TestCase StringIO.new {} end end + + def test_overflow + limit = (1 << (RbConfig::SIZEOF["size_t"]*8-1)) - 0x10 + assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}") + begin; + limit = #{limit} + x = ("a"*0x100000) + s = StringIO.new(x) + s.gets("xxx", limit) + assert_equal(0x100000, s.pos) + end; + end end -- cgit v1.2.1