ruby-changes:40996
From: nobu <ko1@a...>
Date: Sun, 13 Dec 2015 18:23:44 +0900 (JST)
Subject: [ruby-changes:40996] nobu:r53075 (trunk): tkutil.c: check args
nobu 2015-12-13 18:23:36 +0900 (Sun, 13 Dec 2015) New Revision: 53075 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=53075 Log: tkutil.c: check args * ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check types of argument elements. reported by Marcin 'Icewall' Noga of Cisco Talos. Modified files: trunk/ChangeLog trunk/ext/tk/tkutil/tkutil.c Index: ChangeLog =================================================================== --- ChangeLog (revision 53074) +++ ChangeLog (revision 53075) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Sun Dec 13 18:23:37 2015 Nobuyoshi Nakada <nobu@r...> + + * ext/tk/tkutil/tkutil.c (cbsubst_table_setup): check types of + argument elements. reported by Marcin 'Icewall' Noga of Cisco + Talos. + Sun Dec 13 18:19:20 2015 Nobuyoshi Nakada <nobu@r...> * ext/win32ole/win32ole.c (ole_vstr2wc): check argument type, vstr Index: ext/tk/tkutil/tkutil.c =================================================================== --- ext/tk/tkutil/tkutil.c (revision 53074) +++ ext/tk/tkutil/tkutil.c (revision 53075) @@ -1564,7 +1564,7 @@ cbsubst_table_setup(argc, argv, self) https://github.com/ruby/ruby/blob/trunk/ext/tk/tkutil/tkutil.c#L1564 volatile VALUE key_inf; volatile VALUE longkey_inf; volatile VALUE proc_inf; - VALUE inf; + VALUE inf, subst, name, type, ivar, proc; const VALUE *infp; ID id; struct cbsubst_info *subst_inf; @@ -1598,14 +1598,18 @@ cbsubst_table_setup(argc, argv, self) https://github.com/ruby/ruby/blob/trunk/ext/tk/tkutil/tkutil.c#L1598 for(idx = 0; idx < len; idx++) { inf = RARRAY_AREF(key_inf, idx); if (!RB_TYPE_P(inf, T_ARRAY)) continue; + if (RARRAY_LEN(inf) < 3) continue; infp = RARRAY_CONST_PTR(inf); + subst = infp[0]; + type = infp[1]; + ivar = infp[2]; - chr = NUM2CHR(infp[0]); - subst_inf->type[chr] = NUM2CHR(infp[1]); + chr = NUM2CHR(subst); + subst_inf->type[chr] = NUM2CHR(type); subst_inf->full_subst_length += 3; - id = SYM2ID(infp[2]); + id = SYM2ID(ivar); subst_inf->ivar[chr] = rb_intern_str(rb_sprintf("@%"PRIsVALUE, rb_id2str(id))); rb_attr(self, id, 1, 0, Qtrue); @@ -1622,17 +1626,22 @@ cbsubst_table_setup(argc, argv, self) https://github.com/ruby/ruby/blob/trunk/ext/tk/tkutil/tkutil.c#L1626 for(idx = 0; idx < len; idx++) { inf = RARRAY_AREF(longkey_inf, idx); if (!RB_TYPE_P(inf, T_ARRAY)) continue; + if (RARRAY_LEN(inf) < 3) continue; infp = RARRAY_CONST_PTR(inf); + name = infp[0]; + type = infp[1]; + ivar = infp[2]; + Check_Type(name, T_STRING); chr = (unsigned char)(0x80 + idx); - subst_inf->keylen[chr] = RSTRING_LEN(infp[0]); - subst_inf->key[chr] = strndup(RSTRING_PTR(infp[0]), - RSTRING_LEN(infp[0])); - subst_inf->type[chr] = NUM2CHR(infp[1]); + subst_inf->keylen[chr] = RSTRING_LEN(name); + subst_inf->key[chr] = strndup(RSTRING_PTR(name), + RSTRING_LEN(name)); + subst_inf->type[chr] = NUM2CHR(type); subst_inf->full_subst_length += (subst_inf->keylen[chr] + 2); - id = SYM2ID(infp[2]); + id = SYM2ID(ivar); subst_inf->ivar[chr] = rb_intern_str(rb_sprintf("@%"PRIsVALUE, rb_id2str(id))); rb_attr(self, id, 1, 0, Qtrue); -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/