[前][次][番号順一覧][スレッド一覧]

ruby-changes:55029

From: nagachika <ko1@a...>
Date: Wed, 13 Mar 2019 07:01:37 +0900 (JST)
Subject: [ruby-changes:55029] nagachika:r67236 (ruby_2_5): merge revision(s) 66832: [Backport #15536]

nagachika	2019-03-13 07:01:32 +0900 (Wed, 13 Mar 2019)

  New Revision: 67236

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=67236

  Log:
    merge revision(s) 66832: [Backport #15536]
    
    st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write
    
    "hash_bulk_insert" first expands the table, but the target size was
    wrong: it was calculated by "num_entries + (size to buld insert)", but
    it was wrong when "num_entries < entries_bound", i.e., it has a deleted
    entry.  "hash_bulk_insert" adds the given entries from entries_bound,
    which led to out-of-bounds write access.  [Bug #15536]
    
    As a simple fix, this commit changes the calculation to "entries_bound +
    size".  I'm afraid if this might be inefficient, but I think it is safe
    anyway.

  Modified directories:
    branches/ruby_2_5/
  Modified files:
    branches/ruby_2_5/bootstraptest/test_literal.rb
    branches/ruby_2_5/st.c
    branches/ruby_2_5/version.h
Index: ruby_2_5/st.c
===================================================================
--- ruby_2_5/st.c	(revision 67235)
+++ ruby_2_5/st.c	(revision 67236)
@@ -2292,7 +2292,7 @@ rb_hash_bulk_insert(long argc, const VAL https://github.com/ruby/ruby/blob/trunk/ruby_2_5/st.c#L2292
         RHASH(hash)->ntbl = tab = RHASH(tmp)->ntbl;
         RHASH(tmp)->ntbl = NULL;
     }
-    n = tab->num_entries + argc / 2;
+    n = tab->entries_bound + argc / 2;
     st_expand_table(tab, n);
     if (UNLIKELY(tab->num_entries))
         st_insert_generic(tab, argc, argv, hash);
Index: ruby_2_5/bootstraptest/test_literal.rb
===================================================================
--- ruby_2_5/bootstraptest/test_literal.rb	(revision 67235)
+++ ruby_2_5/bootstraptest/test_literal.rb	(revision 67236)
@@ -223,6 +223,24 @@ assert_equal 'ok', %q{ #  long hash lite https://github.com/ruby/ruby/blob/trunk/ruby_2_5/bootstraptest/test_literal.rb#L223
   :ok
 }
 
+assert_equal 'ok', %q{ #  Bug #15536
+  eval <<-END
+    {
+      **{
+        a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil,
+      },
+      a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil,
+      **{
+        c: nil
+      },
+      b0: nil, b1: nil, b2: nil, b3: nil, b4: nil, b5: nil, b6: nil, b7: nil, b8: nil,
+      b9: nil, b10: nil, b11: nil, b12: nil, b13: nil, b14: nil, b15: nil, b16: nil,
+      b17: nil, b18: nil, b19: nil, b20: nil, b21: nil,
+    }
+  END
+  :ok
+}
+
 assert_equal 'ok', %q{
   [print(:ok), exit] # void literal with side-effect
   :dummy
Index: ruby_2_5/version.h
===================================================================
--- ruby_2_5/version.h	(revision 67235)
+++ ruby_2_5/version.h	(revision 67236)
@@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_5/version.h#L1
 #define RUBY_VERSION "2.5.4"
 #define RUBY_RELEASE_DATE "2019-03-13"
-#define RUBY_PATCHLEVEL 148
+#define RUBY_PATCHLEVEL 149
 
 #define RUBY_RELEASE_YEAR 2019
 #define RUBY_RELEASE_MONTH 3
Index: ruby_2_5
===================================================================
--- ruby_2_5	(revision 67235)
+++ ruby_2_5	(revision 67236)

Property changes on: ruby_2_5
___________________________________________________________________
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /trunk:r66832

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]