ruby-changes:43488
From: nagachika <ko1@a...>
Date: Sat, 2 Jul 2016 04:09:35 +0900 (JST)
Subject: [ruby-changes:43488] nagachika:r55561 (ruby_2_3): merge revision(s) 55427: [Backport #12503]
nagachika 2016-07-02 04:09:29 +0900 (Sat, 02 Jul 2016) New Revision: 55561 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55561 Log: merge revision(s) 55427: [Backport #12503] * string.c (tr_trans): consider terminator length and fix heap overflow. reported by Guido Vranken <guido AT guidovranken.nl>. Modified directories: branches/ruby_2_3/ Modified files: branches/ruby_2_3/ChangeLog branches/ruby_2_3/string.c branches/ruby_2_3/version.h Index: ruby_2_3/version.h =================================================================== --- ruby_2_3/version.h (revision 55560) +++ ruby_2_3/version.h (revision 55561) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/version.h#L1 #define RUBY_VERSION "2.3.2" #define RUBY_RELEASE_DATE "2016-07-02" -#define RUBY_PATCHLEVEL 136 +#define RUBY_PATCHLEVEL 137 #define RUBY_RELEASE_YEAR 2016 #define RUBY_RELEASE_MONTH 7 Index: ruby_2_3/string.c =================================================================== --- ruby_2_3/string.c (revision 55560) +++ ruby_2_3/string.c (revision 55561) @@ -5981,6 +5981,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L5981 char *s, *send; VALUE hash = 0; int singlebyte = single_byte_optimizable(str); + int termlen; int cr; #define CHECK_IF_ASCII(c) \ @@ -6062,11 +6063,12 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L6063 cr = ENC_CODERANGE_7BIT; str_modify_keep_cr(str); s = RSTRING_PTR(str); send = RSTRING_END(str); + termlen = rb_enc_mbminlen(enc); if (sflag) { int clen, tlen; long offset, max = RSTRING_LEN(str); unsigned int save = -1; - char *buf = ALLOC_N(char, max), *t = buf; + char *buf = ALLOC_N(char, max + termlen), *t = buf; while (s < send) { int may_modify = 0; @@ -6107,7 +6109,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L6109 while (t - buf + tlen >= max) { offset = t - buf; max *= 2; - REALLOC_N(buf, char, max); + REALLOC_N(buf, char, max + termlen); t = buf + offset; } rb_enc_mbcput(c, t, enc); @@ -6120,7 +6122,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L6122 if (!STR_EMBED_P(str)) { ruby_sized_xfree(STR_HEAP_PTR(str), STR_HEAP_SIZE(str)); } - TERM_FILL(t, rb_enc_mbminlen(enc)); + TERM_FILL(t, termlen); RSTRING(str)->as.heap.ptr = buf; RSTRING(str)->as.heap.len = t - buf; STR_SET_NOEMBED(str); @@ -6145,9 +6147,9 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L6147 } } else { - int clen, tlen, max = (int)(RSTRING_LEN(str) * 1.2); - long offset; - char *buf = ALLOC_N(char, max), *t = buf; + int clen, tlen; + long offset, max = (long)((send - s) * 1.2); + char *buf = ALLOC_N(char, max + termlen), *t = buf; while (s < send) { int may_modify = 0; @@ -6180,7 +6182,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L6182 while (t - buf + tlen >= max) { offset = t - buf; max *= 2; - REALLOC_N(buf, char, max); + REALLOC_N(buf, char, max + termlen); t = buf + offset; } if (s != t) { @@ -6196,7 +6198,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L6198 if (!STR_EMBED_P(str)) { ruby_sized_xfree(STR_HEAP_PTR(str), STR_HEAP_SIZE(str)); } - TERM_FILL(t, rb_enc_mbminlen(enc)); + TERM_FILL(t, termlen); RSTRING(str)->as.heap.ptr = buf; RSTRING(str)->as.heap.len = t - buf; STR_SET_NOEMBED(str); Index: ruby_2_3/ChangeLog =================================================================== --- ruby_2_3/ChangeLog (revision 55560) +++ ruby_2_3/ChangeLog (revision 55561) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/ChangeLog#L1 +Sat Jul 2 04:00:50 2016 Nobuyoshi Nakada <nobu@r...> + + * string.c (tr_trans): consider terminator length and fix heap + overflow. reported by Guido Vranken <guido AT guidovranken.nl>. + Sat Jul 2 03:33:28 2016 Shugo Maeda <shugo@r...> * vm.c (invoke_bmethod, invoke_block_from_c_0): revert r52104 Property changes on: ruby_2_3 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r55427 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/