ruby-changes:54638
From: naruse <ko1@a...>
Date: Fri, 18 Jan 2019 07:09:00 +0900 (JST)
Subject: [ruby-changes:54638] naruse:r66853 (ruby_2_6): merge revision(s) 66832: [Backport #15536]
naruse 2019-01-18 07:08:56 +0900 (Fri, 18 Jan 2019) New Revision: 66853 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=66853 Log: merge revision(s) 66832: [Backport #15536] st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write "hash_bulk_insert" first expands the table, but the target size was wrong: it was calculated by "num_entries + (size to buld insert)", but it was wrong when "num_entries < entries_bound", i.e., it has a deleted entry. "hash_bulk_insert" adds the given entries from entries_bound, which led to out-of-bounds write access. [Bug #15536] As a simple fix, this commit changes the calculation to "entries_bound + size". I'm afraid if this might be inefficient, but I think it is safe anyway. Modified directories: branches/ruby_2_6/ Modified files: branches/ruby_2_6/bootstraptest/test_literal.rb branches/ruby_2_6/st.c branches/ruby_2_6/version.h Index: ruby_2_6/version.h =================================================================== --- ruby_2_6/version.h (revision 66852) +++ ruby_2_6/version.h (revision 66853) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_6/version.h#L1 #define RUBY_VERSION "2.6.0" #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 21 +#define RUBY_PATCHLEVEL 22 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 1 Index: ruby_2_6/bootstraptest/test_literal.rb =================================================================== --- ruby_2_6/bootstraptest/test_literal.rb (revision 66852) +++ ruby_2_6/bootstraptest/test_literal.rb (revision 66853) @@ -223,6 +223,24 @@ assert_equal 'ok', %q{ # long hash lite https://github.com/ruby/ruby/blob/trunk/ruby_2_6/bootstraptest/test_literal.rb#L223 :ok } +assert_equal 'ok', %q{ # Bug #15536 + eval <<-END + { + **{ + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + }, + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + **{ + c: nil + }, + b0: nil, b1: nil, b2: nil, b3: nil, b4: nil, b5: nil, b6: nil, b7: nil, b8: nil, + b9: nil, b10: nil, b11: nil, b12: nil, b13: nil, b14: nil, b15: nil, b16: nil, + b17: nil, b18: nil, b19: nil, b20: nil, b21: nil, + } + END + :ok +} + assert_equal 'ok', %q{ [print(:ok), exit] # void literal with side-effect :dummy Index: ruby_2_6/st.c =================================================================== --- ruby_2_6/st.c (revision 66852) +++ ruby_2_6/st.c (revision 66853) @@ -2299,7 +2299,7 @@ rb_hash_bulk_insert_into_st_table(long a https://github.com/ruby/ruby/blob/trunk/ruby_2_6/st.c#L2299 st_table *tab = RHASH_ST_TABLE(hash); tab = RHASH_TBL_RAW(hash); - n = tab->num_entries + size; + n = tab->entries_bound + size; st_expand_table(tab, n); if (UNLIKELY(tab->num_entries)) st_insert_generic(tab, argc, argv, hash); Index: ruby_2_6 =================================================================== --- ruby_2_6 (revision 66852) +++ ruby_2_6 (revision 66853) Property changes on: ruby_2_6 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r66832 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/