ruby-changes:43336
From: nobu <ko1@a...>
Date: Tue, 14 Jun 2016 22:07:31 +0900 (JST)
Subject: [ruby-changes:43336] nobu:r55410 (trunk): date_strftime.c: check precision
nobu 2016-06-14 22:07:27 +0900 (Tue, 14 Jun 2016) New Revision: 55410 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55410 Log: date_strftime.c: check precision * ext/date/date_strftime.c (date_strftime_with_tmx): reject too large precision to get rid of buffer overflow. reported by Guido Vranken <guido AT guidovranken.nl>. Modified files: trunk/ChangeLog trunk/ext/date/date_strftime.c trunk/test/date/test_date_strftime.rb Index: ext/date/date_strftime.c =================================================================== --- ext/date/date_strftime.c (revision 55409) +++ ext/date/date_strftime.c (revision 55410) @@ -48,7 +48,7 @@ downcase(char *s, size_t i) https://github.com/ruby/ruby/blob/trunk/ext/date/date_strftime.c#L48 /* strftime --- produce formatted time */ static size_t -date_strftime_with_tmx(char *s, size_t maxsize, const char *format, +date_strftime_with_tmx(char *s, const size_t maxsize, const char *format, const struct tmx *tmx) { char *endp = s + maxsize; @@ -575,7 +575,12 @@ date_strftime_with_tmx(char *s, size_t m https://github.com/ruby/ruby/blob/trunk/ext/date/date_strftime.c#L575 case '5': case '6': case '7': case '8': case '9': { char *e; - precision = (int)strtoul(format, &e, 10); + unsigned long prec = strtoul(format, &e, 10); + if (prec > INT_MAX || prec > maxsize) { + errno = ERANGE; + return 0; + } + precision = (int)prec; format = e - 1; goto again; } Index: test/date/test_date_strftime.rb =================================================================== --- test/date/test_date_strftime.rb (revision 55409) +++ test/date/test_date_strftime.rb (revision 55410) @@ -420,4 +420,12 @@ class TestDateStrftime < Test::Unit::Tes https://github.com/ruby/ruby/blob/trunk/test/date/test_date_strftime.rb#L420 end + def test_overflow + assert_raise(ArgumentError, Errno::ERANGE) { + Date.new(2000,1,1).strftime("%2147483647c") + } + assert_raise(ArgumentError, Errno::ERANGE) { + DateTime.new(2000,1,1).strftime("%2147483647c") + } + end end Index: ChangeLog =================================================================== --- ChangeLog (revision 55409) +++ ChangeLog (revision 55410) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Jun 14 22:07:25 2016 Nobuyoshi Nakada <nobu@r...> + + * ext/date/date_strftime.c (date_strftime_with_tmx): reject too + large precision to get rid of buffer overflow. + reported by Guido Vranken <guido AT guidovranken.nl>. + Tue Jun 14 21:40:42 2016 Kazuki Yamaguchi <k@r...> * ext/openssl/ossl_ocsp.c (ossl_ocspbres_to_der, ossl_ocspcid_to_der): -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/