[前][次][番号順一覧][スレッド一覧]

ruby-changes:42231

From: nobu <ko1@a...>
Date: Mon, 28 Mar 2016 08:19:00 +0900 (JST)
Subject: [ruby-changes:42231] nobu:r54304 (trunk): sprintf.c: fix buffer overflow

nobu	2016-03-28 08:18:52 +0900 (Mon, 28 Mar 2016)

  New Revision: 54304

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=54304

  Log:
    sprintf.c: fix buffer overflow
    
    * sprintf.c (rb_str_format): fix buffer overflow, length must be
      greater than precision.  reported by William Bowling <will AT
      wbowling.info>.

  Modified files:
    trunk/ChangeLog
    trunk/sprintf.c
    trunk/test/ruby/test_sprintf.rb
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 54303)
+++ ChangeLog	(revision 54304)
@@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Mon Mar 28 08:18:51 2016  Nobuyoshi Nakada  <nobu@r...>
+
+	* sprintf.c (rb_str_format): fix buffer overflow, length must be
+	  greater than precision.  reported by William Bowling <will AT
+	  wbowling.info>.
+
 Sun Mar 27 12:13:37 2016  Nobuyoshi Nakada  <nobu@r...>
 
 	* sprintf.c (rb_str_format): convert Rational to floating point
Index: test/ruby/test_sprintf.rb
===================================================================
--- test/ruby/test_sprintf.rb	(revision 54303)
+++ test/ruby/test_sprintf.rb	(revision 54304)
@@ -177,6 +177,10 @@ class TestSprintf < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_sprintf.rb#L177
     assert_equal("x"*10+"     1.0", sprintf("x"*10+"%8.1f", 1r), bug11766)
   end
 
+  def test_rational_precision
+    assert_match(/\A0\.\d{600}\z/, sprintf("%.600f", 600**~60))
+  end
+
   def test_hash
     options = {:capture=>/\d+/}
     assert_equal("with options {:capture=>/\\d+/}", sprintf("with options %p" % options))
Index: sprintf.c
===================================================================
--- sprintf.c	(revision 54303)
+++ sprintf.c	(revision 54304)
@@ -1070,7 +1070,7 @@ rb_str_format(int argc, const VALUE *arg https://github.com/ruby/ruby/blob/trunk/sprintf.c#L1070
 		}
 		val = rb_int2str(num, 10);
 		len = RSTRING_LEN(val) + zero;
-		if (prec >= len) ++len; /* integer part 0 */
+		if (prec >= len) len = prec + 1; /* integer part 0 */
 		if (sign || (flags&FSPACE)) ++len;
 		if (prec > 0) ++len; /* period */
 		CHECK(len > width ? len : width);

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]